From 41a6b992aab1ea8e644ea20d4b4be897fe59e921 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Fri, 24 Nov 2023 13:19:56 +0100
Subject: [PATCH] system: enhance check for re-exec into rootless userns

Previously, the setup only checked for the CAP_SYS_ADMIN capability,
which could be not enough with containerized Podman where
CAP_SYS_ADMIN might be set for an unprivileged user.

Closes: https://github.com/containers/podman/issues/20766

[NO NEW TESTS NEEDED] needs containerized Podman

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 pkg/domain/infra/abi/system.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go
index 8d7a830500..987df8dfb9 100644
--- a/pkg/domain/infra/abi/system.go
+++ b/pkg/domain/infra/abi/system.go
@@ -88,7 +88,8 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool)
 	if err != nil {
 		return err
 	}
-	if hasCapSysAdmin {
+	// check for both euid == 0 and CAP_SYS_ADMIN because we may be running in a container with CAP_SYS_ADMIN set.
+	if os.Geteuid() == 0 && hasCapSysAdmin {
 		ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup()
 		if err != nil {
 			logrus.Infof("Failed to detect the owner for the current cgroup: %v", err)