feat: Detect if container is running in privileged mode (#966)

src/disk.sh

@@ -332,7 +332,7 @@ checkFS () {
   DIR=$(dirname "$DISK_FILE")
   [ ! -d "$DIR" ] && return 0
 
-  if [[ "${FS,,}" == "overlay"* && "$PODMAN" != [Yy1]* ]]; then
+  if [[ "${FS,,}" == "overlay"* && "${ENGINE,,}" == "docker" ]]; then
     warn "the filesystem of $DIR is OverlayFS, this usually means it was binded to an invalid path!"
   fi
 

src/network.sh

@@ -204,9 +204,11 @@ compat() {
     SAMBA_INTERFACE="$samba"
   else
     msg=$(ip address add dev "$interface" "$samba/24" label "$interface:$label" 2>&1)
-    if [[ "${msg,,}" != *"address already assigned"* && "$PODMAN" != [Yy1]* ]]; then
-      echo "$msg" >&2
-      warn "$err $ADD_ERR --cap-add NET_ADMIN"
+    if [[ "${msg,,}" != *"address already assigned"* ]]; then
+      if [[ "$ROOTLESS" != [Yy1]* || "$DEBUG" == [Yy1]* ]]; then
+        echo "$msg" >&2
+        warn "$err $ADD_ERR --cap-add NET_ADMIN"
+      fi
     fi
   fi
 
@@ -458,7 +460,7 @@ configureNAT() {
   fi
 
   if [ ! -c /dev/net/tun ]; then
-    [[ "$PODMAN" == [Yy1]* ]] && return 1
+    [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
     warn "$tuntap" && return 1
   fi
 
@@ -466,7 +468,7 @@ configureNAT() {
   if [[ $(< /proc/sys/net/ipv4/ip_forward) -eq 0 ]]; then
     { sysctl -w net.ipv4.ip_forward=1 > /dev/null 2>&1; rc=$?; } || :
     if (( rc != 0 )) || [[ $(< /proc/sys/net/ipv4/ip_forward) -eq 0 ]]; then
-      [[ "$PODMAN" == [Yy1]* ]] && return 1
+      [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
       warn "IP forwarding is disabled. $ADD_ERR --sysctl net.ipv4.ip_forward=1"
       return 1
     fi
@@ -493,7 +495,7 @@ configureNAT() {
   { ip link add dev "$VM_NET_BRIDGE" type bridge ; rc=$?; } || :
 
   if (( rc != 0 )); then
-    [[ "$PODMAN" == [Yy1]* ]] && return 1
+    [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
     warn "failed to create bridge. $ADD_ERR --cap-add NET_ADMIN" && return 1
   fi
 
@@ -511,7 +513,7 @@ configureNAT() {
 
   # QEMU Works with taps, set tap to the bridge created
   if ! ip tuntap add dev "$VM_NET_TAP" mode tap; then
-    [[ "$PODMAN" == [Yy1]* ]] && return 1
+    [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
     warn "$tuntap" && return 1
   fi
 
@@ -844,7 +846,7 @@ else
         closeBridge
         NETWORK="user"
 
-        if [[ "$PODMAN" != [Yy1]* ]]; then
+        if [[ "$ROOTLESS" != [Yy1]* || "$DEBUG" == [Yy1]* ]]; then
           msg="falling back to user-mode networking!"
           msg="failed to setup NAT networking, $msg"
           warn "$msg"

src/reset.sh

@@ -26,18 +26,41 @@ trap 'error "Status $? while: $BASH_COMMAND (line $LINENO/$BASH_LINENO)"' ERR
 # Helper variables
 
 PODMAN="N"
+ROOTLESS="N"
+PRIVILEGED="N"
 ENGINE="Docker"
 PROCESS="${APP,,}"
 PROCESS="${PROCESS// /-}"
 
 if [ -f "/run/.containerenv" ]; then
-  PODMAN="Y"
-  ENGINE="Podman"
+  ENGINE="${CONTAINER:-}"
+  if [[ "${ENGINE,,}" == "podman"* ]]; then
+    PODMAN="Y"
+    ROOTLESS="Y"
+    ENGINE="Podman"
+  else
+    [ -z "$ENGINE" ] && ENGINE="Kubernetes"
+  fi
 fi
 
 echo "❯ Starting $APP for $ENGINE v$(</run/version)..."
 echo "❯ For support visit $SUPPORT"
 
+# Get the capability bounding set
+CAP_BND=$(grep '^CapBnd:' /proc/$$/status | awk '{print $2}')
+CAP_BND=$(printf "%d" "0x${CAP_BND}")
+
+# Get the last capability number
+LAST_CAP=$(cat /proc/sys/kernel/cap_last_cap)
+
+# Calculate the maximum capability value
+MAX_CAP=$(((1 << (LAST_CAP + 1)) - 1))
+
+if [ "${CAP_BND}" -eq "${MAX_CAP}" ]; then
+  ROOTLESS="N"
+  PRIVILEGED="Y"
+fi
+
 INFO="/run/shm/msg.html"
 PAGE="/run/shm/index.html"
 TEMPLATE="/var/www/index.html"