aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2019-07-12 09:15:57 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2019-07-12 11:35:03 +0200
commitd74db186a8934a9aaa6af3518c473e2e124b2e02 (patch)
tree44606bbe849d7b087106942e75ead0c32d1cd50e
parent144567b42dba2c8c426538a4b5fe7d718b43284a (diff)
downloadpodman-d74db186a8934a9aaa6af3518c473e2e124b2e02.tar.gz
podman-d74db186a8934a9aaa6af3518c473e2e124b2e02.tar.bz2
podman-d74db186a8934a9aaa6af3518c473e2e124b2e02.zip
spec: fix userns with less than 5 gids
when the container is running in a user namespace, check if gid=5 is available, otherwise drop the option gid=5 for /dev/pts. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r--pkg/spec/spec.go36
1 files changed, 27 insertions, 9 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 5cc021bf5..44417ea9c 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -80,23 +80,41 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
g.AddLinuxMaskedPaths("/sys/kernel")
}
}
+ gid5Available := true
if isRootless {
nGids, err := getAvailableGids()
if err != nil {
return nil, err
}
- if nGids < 5 {
- // If we have no GID mappings, the gid=5 default option would fail, so drop it.
- g.RemoveMount("/dev/pts")
- devPts := spec.Mount{
- Destination: "/dev/pts",
- Type: "devpts",
- Source: "devpts",
- Options: []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"},
+ gid5Available = nGids >= 5
+ }
+ // When using a different user namespace, check that the GID 5 is mapped inside
+ // the container.
+ if gid5Available && len(config.IDMappings.GIDMap) > 0 {
+ mappingFound := false
+ for _, r := range config.IDMappings.GIDMap {
+ if r.ContainerID <= 5 && 5 < r.ContainerID+r.Size {
+ mappingFound = true
+ break
}
- g.AddMount(devPts)
}
+ if !mappingFound {
+ gid5Available = false
+ }
+
}
+ if !gid5Available {
+ // If we have no GID mappings, the gid=5 default option would fail, so drop it.
+ g.RemoveMount("/dev/pts")
+ devPts := spec.Mount{
+ Destination: "/dev/pts",
+ Type: "devpts",
+ Source: "devpts",
+ Options: []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"},
+ }
+ g.AddMount(devPts)
+ }
+
if inUserNS && config.IpcMode.IsHost() {
g.RemoveMount("/dev/mqueue")
devMqueue := spec.Mount{