sandboxing: check whether debian specific patch disables user namespaces for unpriv users

2019-08-12 09:06:32 +02:00 · 2019-08-12 09:06:32 +02:00 · 1e150144e6
--- a/sandbox/sandbox-linux.cpp
+++ b/sandbox/sandbox-linux.cpp
@ -196,6 +196,19 @@ bool SandboxLinux::enablePreWorker(std::vector<std::string> fsPaths)

 bool SandboxLinux::supported()
 {
+	std::fstream stream;
+	stream.open("/proc/sys/kernel/unprivileged_userns_clone");
+	if(stream.is_open())
+	{
+		std::string str;
+		stream >> str;
+		if(str[0] == '0')
+		{
+			Logger::error() << "Please write '1' to /proc/sys/kernel/unprivileged_userns_clone in order to enable "
+							   "sandboxing support on this system";
+			return false;
+		}
+	}
 	return true;
 }
 bool SandboxLinux::enableForWorker()