detect-virt: install with fs caps by default to allow unprivileged access

diff --git a/Makefile.am b/Makefile.am
index 621da03260040e8bc706420dbf7ebd602295c38d..0b3013b444c0388a2f6fc71adf1b72b044822eac 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -1403,6 +1403,12 @@ systemd_detect_virt_SOURCES = \
 systemd_detect_virt_LDADD = \
        libsystemd-shared.la
 
+systemd-detect-virt-install-hook:
+       $(SETCAP) cap_dac_override,cap_sys_ptrace=ep $(DESTDIR)$(bindir)/systemd-detect-virt ||:
+
+INSTALL_EXEC_HOOKS += \
+       systemd-detect-virt-install-hook
+
 # ------------------------------------------------------------------------------
 systemd_delta_SOURCES = \
        src/delta/delta.c

diff --git a/configure.ac b/configure.ac
index 5d7d0c286399b1c49c07d01825cb44f3f013b072..09818d6ec033b4fb712364bb57fe6f0a00b402e0 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -67,6 +67,8 @@ AC_PATH_PROG([XSLTPROC], [xsltproc])
 AC_PATH_PROG([QUOTAON], [quotaon], [/sbin/quotaon])
 AC_PATH_PROG([QUOTACHECK], [quotacheck], [/sbin/quotacheck])
 
+AC_PATH_PROG([SETCAP], [setcap], [/sbin/setcap])
+
 # gtkdocize greps for '^GTK_DOC_CHECK', so it needs to be on its own line
 m4_ifdef([GTK_DOC_CHECK], [
 GTK_DOC_CHECK([1.18],[--flavour no-tmpl])

diff --git a/src/shared/virt.c b/src/shared/virt.c
index 6e447944967a115a2e7b0b596254a2d5d9bebc2f..fc62c72328e381341850d021dbd076fb6d5e73ee 100644 (file)
--- a/src/shared/virt.c
+++ b/src/shared/virt.c
@@ -159,10 +159,10 @@ int detect_container(const char **id) {
         /* Unfortunately many of these operations require root access
          * in one way or another */
 
-        if (geteuid() != 0)
-                return -EPERM;
-
-        if (running_in_chroot() > 0) {
+        r = running_in_chroot();
+        if (r < 0)
+                return r;
+        if (r > 0) {
 
                 if (id)
                         *id = "chroot";