summaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2021-04-22 14:57:49 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2021-04-26 08:58:55 +0200
commit722ea2f1f82ff16271b50b508d709e5da275e32a (patch)
tree31c519d969bfe6ce6f16d5fceacd54025de78b39 /pkg
parente4c269e2d01dee6497269e62119126b93e388da3 (diff)
downloadpodman-722ea2f1f82ff16271b50b508d709e5da275e32a.tar.gz
podman-722ea2f1f82ff16271b50b508d709e5da275e32a.tar.bz2
podman-722ea2f1f82ff16271b50b508d709e5da275e32a.zip
runtime: create userns when CAP_SYS_ADMIN is not present
when deciding to create a user namespace, check for CAP_SYS_ADMIN instead of looking at the euid. [NO TESTS NEEDED] Needs nested Podman Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r--pkg/domain/infra/abi/system.go7
1 files changed, 6 insertions, 1 deletions
diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go
index 6319c1ab1..9bba0fa6c 100644
--- a/pkg/domain/infra/abi/system.go
+++ b/pkg/domain/infra/abi/system.go
@@ -21,6 +21,7 @@ import (
"github.com/containers/podman/v3/pkg/util"
"github.com/containers/podman/v3/utils"
"github.com/containers/storage"
+ "github.com/containers/storage/pkg/unshare"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/spf13/cobra"
@@ -58,7 +59,11 @@ func (ic *ContainerEngine) Info(ctx context.Context) (*define.Info, error) {
func (ic *ContainerEngine) SetupRootless(_ context.Context, cmd *cobra.Command) error {
// do it only after podman has already re-execed and running with uid==0.
- if os.Geteuid() == 0 {
+ hasCapSysAdmin, err := unshare.HasCapSysAdmin()
+ if err != nil {
+ return err
+ }
+ if hasCapSysAdmin {
ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup()
if err != nil {
logrus.Infof("Failed to detect the owner for the current cgroup: %v", err)