From 78bf6d0c6ea7eede1f45254519ddb7f9a796e937 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 9 Oct 2019 10:13:15 +0200 Subject: refresh: do not access network ns if not in the namespace Signed-off-by: Giuseppe Scrivano --- libpod/boltdb_state.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libpod/boltdb_state.go b/libpod/boltdb_state.go index e43d54eee..0bb1df7b8 100644 --- a/libpod/boltdb_state.go +++ b/libpod/boltdb_state.go @@ -2,6 +2,7 @@ package libpod import ( "bytes" + "os" "strings" "sync" @@ -658,9 +659,13 @@ func (s *BoltState) UpdateContainer(ctr *Container) error { return err } - // Handle network namespace - if err := replaceNetNS(netNSPath, ctr, newState); err != nil { - return err + // Handle network namespace. + if os.Geteuid() == 0 { + // Do it only when root, either on the host or as root in the + // user namespace. + if err := replaceNetNS(netNSPath, ctr, newState); err != nil { + return err + } } // New state compiled successfully, swap it into the current state -- cgit v1.2.3-54-g00ecf