passt is allowed to run as "root" (UID 0) in a user namespace, but notas
real root in the init namespace.  We read /proc/self/uid_map to determine
if we're in the init namespace or not.

If we're unable to open /proc/self/uid_map we assume we're ok and continue
running as UID 0.  This seems unwise: AFAIK the only instance in which
uid_map won't be available is if we're running on a kernel which doesn't
support user namespaces, in which case we won't be able to sandbox
ourselves as we want and fail anyway.  If there are other circumstances
where it can't be opened it seems marginally more likely that we *are*
in the init namespace.

Therefore, fail with an error in this case, instead of carrying on.

Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
---
 conf.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/conf.c b/conf.c
index 5c293b5..f1aaa8a 100644
--- a/conf.c
+++ b/conf.c
@@ -1054,8 +1054,12 @@ static int conf_ugid(const char *runas, uid_t *uid, gid_t *gid)
 		return 0;
 
 	/* ..or at least not root in the init namespace.. */
-	if ((fd = open("/proc/self/uid_map", O_RDONLY | O_CLOEXEC)) < 0)
-		return 0;
+	if ((fd = open("/proc/self/uid_map", O_RDONLY | O_CLOEXEC)) < 0) {
+		ret = -errno;
+		err("Can't determine if we're in init namespace: %s",
+		    strerror(-ret));
+		return ret;
+	}
 
 	if (read(fd, buf, BUFSIZ) != sizeof(root_uid_map) ||
 	    strncmp(buf, root_uid_map, sizeof(root_uid_map) - 1)) {
-- 
2.37.3