lxc-start: exit early and cleanly if we have insufficient privs

[mirror_lxc.git] / src / lxc / caps.c

diff --git a/src/lxc/caps.c b/src/lxc/caps.c
index 1610002ac08d9632079f911904e227a0b88992be..10a0b4aaca1123cee1b7bbf28d97413b3aeccd2d 100644 (file)
--- a/src/lxc/caps.c
+++ b/src/lxc/caps.c
@@ -213,3 +213,42 @@ int lxc_caps_last_cap(void)
 
        return last_cap;
 }
+
+/*
+ * check if we have the caps needed to start a container.  returns 1 on
+ * success, 0 on error.  (I'd prefer this be a bool, but am afraid that
+ * might fail to build on some distros).
+ */
+int lxc_caps_check(void)
+{
+       uid_t uid = getuid();
+       cap_t caps;
+       cap_flag_value_t value;
+       int i, ret;
+
+       cap_value_t needed_caps[] = { CAP_SYS_ADMIN, CAP_NET_ADMIN, CAP_SETUID, CAP_SETGID };
+
+#define NUMCAPS ((int) (sizeof(needed_caps) / sizeof(cap_t)))
+
+       if (!uid)
+               return 1;
+
+       caps = cap_get_proc();
+       if (!caps) {
+               ERROR("failed to cap_get_proc: %m");
+               return 0;
+       }
+
+       for (i=0; i<NUMCAPS; i++) {
+               ret = cap_get_flag(caps, needed_caps[i], CAP_EFFECTIVE, &value);
+               if (ret) {
+                       ERROR("Failed to cap_get_flag: %m");
+                       return 0;
+               }
+               if (!value) {
+                       return 0;
+               }
+       }
+
+       return 1;
+}