The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2213
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
This reverts commit 8d961e28f1d759669b477a659cbb694aaa2af915.
Unfortunately I don't believe the check is correct in the general case.
(not in the actual commit msg) - in particular, root-started containers in an unprivileged container will end up starting under the cgroup which systemd assigned (for instance) or, worse, which the user calling 'sudo lxc-start mailcontainer -d' logged in as.
From 80c689220df4db001e9d3ec9c5c1936cdc59ec3d Mon Sep 17 00:00:00 2001
From: Serge Hallyn <shal...@cisco.com>
Date: Tue, 13 Mar 2018 12:55:02 -0500
Subject: [PATCH] Revert "cgroups: don't escape if we're not real root"
This reverts commit 8d961e28f1d759669b477a659cbb694aaa2af915.
Unfortunately I don't believe the check is correct in the general case.
---
src/lxc/cgroups/cgfsng.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index f337be449..10c7ab2cf 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1368,7 +1368,7 @@ static char *cg_unified_get_current_cgroup(void)
bool will_escape;
char *copy = NULL;
- will_escape = !am_host_unpriv();
+ will_escape = (geteuid() == 0);
if (will_escape)
basecginfo = read_file("/proc/1/cgroup");
else
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
