static bool do_destroy_container(struct lxc_conf *conf) {
int ret;
- if (am_host_unpriv()) {
+ if (am_guest_unpriv()) {
ret = userns_exec_full(conf, storage_destroy_wrapper, conf,
"storage_destroy_wrapper");
if (ret < 0)
if (ret < 0 || (size_t)ret >= len)
goto out;
- if (am_host_unpriv())
+ if (am_guest_unpriv())
ret = userns_exec_1(conf, lxc_unlink_exec_wrapper, path,
"lxc_unlink_exec_wrapper");
else
ret = snprintf(path, len, "%s/%s", p1, c->name);
if (ret < 0 || (size_t)ret >= len)
goto out;
- if (am_host_unpriv())
+ if (am_guest_unpriv())
ret = userns_exec_full(conf, lxc_rmdir_onedev_wrapper, path,
"lxc_rmdir_onedev_wrapper");
else
}
}
- if (am_host_unpriv()) {
+ if (am_guest_unpriv()) {
if (chown_mapped_root(newpath, c->lxc_conf) < 0) {
ERROR("Error chowning %s to container root", newpath);
goto out;
data.c1 = c2;
data.flags = flags;
data.hookargs = hookargs;
- if (am_host_unpriv())
+ if (am_guest_unpriv())
ret = userns_exec_full(c->lxc_conf, clone_update_rootfs_wrapper,
&data, "clone_update_rootfs_wrapper");
else
static bool do_lxcapi_add_device_node(struct lxc_container *c, const char *src_path, const char *dest_path)
{
+ // cannot mknod if we're not privileged wrt init_user_ns
if (am_host_unpriv()) {
ERROR(NOT_SUPPORTED_ERROR, __FUNCTION__);
return false;
static bool do_lxcapi_remove_device_node(struct lxc_container *c, const char *src_path, const char *dest_path)
{
- if (am_host_unpriv()) {
+ if (am_guest_unpriv()) {
ERROR(NOT_SUPPORTED_ERROR, __FUNCTION__);
return false;
}
pid_t init_pid;
int ret = 0;
- if (am_host_unpriv()) {
+ if (am_guest_unpriv()) {
ERROR(NOT_SUPPORTED_ERROR, __FUNCTION__);
return false;
}
int ret;
pid_t pid, pid_outside;
- if (am_host_unpriv()) {
+ /*
+ * TODO - if this is a physical device, then we need am_host_unpriv.
+ * But for other types guest privilege suffices.
+ */
+ if (am_guest_unpriv()) {
ERROR(NOT_SUPPORTED_ERROR, __FUNCTION__);
return false;
}