SetupRootless(): only reexec when needed

We should never try to reexxec when we are already root with CAP_SYS_ADMIN. The code contained a bug when --cgroups=disabled is used as it tried to perfom a reexec even when it was not needed. Fixes: 900e295 ("libpod: do not move podman with --cgroups=disabled") Signed-off-by: Paul Holzinger <[email protected]>
containers · Jul 8, 2024 · a2c83cb · a2c83cb
1 parent 3350cd3
commit a2c83cb
Showing 1 changed file with 10 additions and 9 deletions.
diff --git a/pkg/domain/infra/abi/system_linux.go b/pkg/domain/infra/abi/system_linux.go
@@ -30,15 +30,16 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool,
 		}
 	}
 
-	configureCgroup := cgroupMode != "disabled"
-	if configureCgroup {
+	hasCapSysAdmin, err := unshare.HasCapSysAdmin()
+	if err != nil {
+		return err
+	}
+
+	// check for both euid == 0 and CAP_SYS_ADMIN because we may be running in a container with CAP_SYS_ADMIN set.
+	if os.Geteuid() == 0 && hasCapSysAdmin {
 		// do it only after podman has already re-execed and running with uid==0.
-		hasCapSysAdmin, err := unshare.HasCapSysAdmin()
-		if err != nil {
-			return err
-		}
-		// check for both euid == 0 and CAP_SYS_ADMIN because we may be running in a container with CAP_SYS_ADMIN set.
-		if os.Geteuid() == 0 && hasCapSysAdmin {
+		configureCgroup := cgroupMode != "disabled"
+		if configureCgroup {
 			ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup()
 			if err != nil {
 				logrus.Infof("Failed to detect the owner for the current cgroup: %v", err)
@@ -55,8 +56,8 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool,
 					}
 				}
 			}
-			return nil
 		}
+		return nil
 	}
 
 	pausePidPath, err := util.GetRootlessPauseProcessPidPath()