If the monitor runs as root we can assume it's able to remove the cgroups it
created when the container started.
Fixes: https://github.com/lxc/lxd/issues/11108
Signed-off-by: Christian Brauner (Microsoft) <christian.brauner@ubuntu.com>
if (ret < 0)
WARN("Failed to detach bpf program from cgroup");
- if (!list_empty(&handler->conf->id_map)) {
+ /*
+ * Only do the user namespace dance if we have too. If the container's
+ * monitor is root we can assume that it is privileged enough to remove
+ * the cgroups it created when the container started.
+ */
+ if (!list_empty(&handler->conf->id_map) && !handler->am_root) {
struct generic_userns_exec_data wrap = {
.conf = handler->conf,
.path_prune = ops->container_limit_cgroup,