system: enhance check for re-exec into rootless userns

Previously, the setup only checked for the CAP_SYS_ADMIN capability, which could be not enough with containerized Podman where CAP_SYS_ADMIN might be set for an unprivileged user. Closes: containers#20766 [NO NEW TESTS NEEDED] needs containerized Podman Signed-off-by: Giuseppe Scrivano <[email protected]>
openshift-cherrypick-robot · Jan 30, 2024 · b3ec3c9 · b3ec3c9
1 parent ffb54fb
commit b3ec3c9
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go
@@ -87,7 +87,8 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool)
 	if err != nil {
 		return err
 	}
-	if hasCapSysAdmin {
+	// check for both euid == 0 and CAP_SYS_ADMIN because we may be running in a container with CAP_SYS_ADMIN set.
+	if os.Geteuid() == 0 && hasCapSysAdmin {
 		ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup()
 		if err != nil {
 			logrus.Infof("Failed to detect the owner for the current cgroup: %v", err)