goto on_error;
}
- ret = lxc_setgroups(0, NULL);
- if (ret < 0 && errno != EPERM)
+ if (!lxc_setgroups(0, NULL) && errno != EPERM)
goto on_error;
/* Set {u,g}id. */
if (ret < 0)
return -1;
- ret = lxc_setgroups(0, NULL);
- if (ret < 0)
+ if (!lxc_setgroups(0, NULL))
return -1;
ret = unshare(CLONE_NEWNS);
{
int ret;
char path[PATH_MAX];
- bool have_cap_setgid;
uid_t new_uid;
gid_t new_gid;
struct lxc_list *iterator;
/* Drop groups only after we switched to a valid gid in the new
* user namespace.
*/
- ret = lxc_setgroups(0, NULL);
- if (ret < 0 && (handler->am_root || errno != EPERM))
+ if (!lxc_setgroups(0, NULL) &&
+ (handler->am_root || errno != EPERM))
goto out_warn_father;
ret = prctl(PR_SET_DUMPABLE, prctl_arg(1), prctl_arg(0),
new_uid = handler->conf->init_uid;
new_gid = handler->conf->init_gid;
- /* If we are in a new user namespace we already dropped all groups when
- * we switched to root in the new user namespace further above. Only
- * drop groups if we can, so ensure that we have necessary privilege.
- */
- #if HAVE_LIBCAP
- have_cap_setgid = lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE);
- #else
- have_cap_setgid = false;
- #endif
- if (lxc_list_empty(&handler->conf->id_map) && have_cap_setgid) {
- ret = lxc_setgroups(0, NULL);
- if (ret < 0)
- goto out_warn_father;
- }
-
/* Avoid unnecessary syscalls. */
if (new_uid == nsuid)
new_uid = LXC_INVALID_UID;
if (ret < 0)
goto out_warn_father;
+ /* If we are in a new user namespace we already dropped all groups when
+ * we switched to root in the new user namespace further above. Only
+ * drop groups if we can, so ensure that we have necessary privilege.
+ */
+ if (lxc_list_empty(&handler->conf->id_map))
+ #if HAVE_LIBCAP
+ if (lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE))
+ #endif
+ if (!lxc_setgroups(0, NULL))
+ goto out_warn_father;
+
ret = lxc_ambient_caps_down();
if (ret < 0) {
ERROR("Failed to clear ambient capabilities");
if (ret < 0)
return -1;
- ret = lxc_setgroups(0, NULL);
- if (ret < 0)
+ if (!lxc_setgroups(0, NULL))
return -1;
return lxc_rsync_exec(args->src, args->dest);
if (ret < 0)
return -1;
- ret = lxc_setgroups(0, NULL);
- if (ret < 0)
+ if (!lxc_setgroups(0, NULL))
return -1;
src = lxc_storage_get_path(orig->dest, orig->type);
}
/* Simple covenience function which enables uniform logging. */
-int lxc_setgroups(int size, gid_t list[])
+bool lxc_setgroups(int size, gid_t list[])
{
if (setgroups(size, list) < 0) {
- SYSERROR("Failed to setgroups().");
- return -errno;
+ SYSERROR("Failed to setgroups()");
+ return false;
}
- NOTICE("Dropped additional groups.");
+ NOTICE("Dropped additional groups");
- return 0;
+ return true;
}
static int lxc_get_unused_loop_dev_legacy(char *loop_name)
* If LXC_INVALID_{G,U}ID is passed then the set{g,u}id() will not be called.
*/
extern int lxc_switch_uid_gid(uid_t uid, gid_t gid);
-extern int lxc_setgroups(int size, gid_t list[]);
+extern bool lxc_setgroups(int size, gid_t list[]);
/* Find an unused loop device and associate it with source. */
extern int lxc_prepare_loop_dev(const char *source, char *loop_dev, int flags);