summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorQi Wang <qiwan@redhat.com>2020-05-29 17:39:42 -0400
committerQi Wang <qiwan@redhat.com>2020-06-02 11:28:58 -0400
commit77e4b077b9d8989b1300689103a5489bd1ad9a8b (patch)
tree7f40976b06093fa7969a7cdcf19fb4365e45647c
parentf559cec6c0d1694cca9530004aaba3c138f621e3 (diff)
downloadpodman-77e4b077b9d8989b1300689103a5489bd1ad9a8b.tar.gz
podman-77e4b077b9d8989b1300689103a5489bd1ad9a8b.tar.bz2
podman-77e4b077b9d8989b1300689103a5489bd1ad9a8b.zip
check --user range for rootless containers
Check --user range if it's a uid for rootless containers. Returns error if it is out of the range. From https://github.com/containers/libpod/issues/6431#issuecomment-636124686 Signed-off-by: Qi Wang <qiwan@redhat.com>
-rw-r--r--cmd/podman/containers/run.go12
-rw-r--r--libpod/container_internal_linux.go5
-rw-r--r--pkg/util/utils_linux.go16
-rw-r--r--pkg/util/utils_unsupported.go5
4 files changed, 38 insertions, 0 deletions
diff --git a/cmd/podman/containers/run.go b/cmd/podman/containers/run.go
index 890c6e827..8a02c63c0 100644
--- a/cmd/podman/containers/run.go
+++ b/cmd/podman/containers/run.go
@@ -3,6 +3,7 @@ package containers
import (
"fmt"
"os"
+ "strconv"
"strings"
"github.com/containers/libpod/cmd/podman/common"
@@ -10,7 +11,9 @@ import (
"github.com/containers/libpod/libpod/define"
"github.com/containers/libpod/pkg/domain/entities"
"github.com/containers/libpod/pkg/errorhandling"
+ "github.com/containers/libpod/pkg/rootless"
"github.com/containers/libpod/pkg/specgen"
+ "github.com/containers/libpod/pkg/util"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/spf13/cobra"
@@ -92,6 +95,15 @@ func run(cmd *cobra.Command, args []string) error {
return err
}
+ if rootless.IsRootless() && !registry.IsRemote() {
+ userspec := strings.SplitN(cliVals.User, ":", 2)[0]
+ if uid, err := strconv.ParseInt(userspec, 10, 32); err == nil {
+ if err := util.CheckRootlessUIDRange(int(uid)); err != nil {
+ return err
+ }
+ }
+ }
+
if af := cliVals.Authfile; len(af) > 0 {
if _, err := os.Stat(af); err != nil {
return errors.Wrapf(err, "error checking authfile path %s", af)
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 2bd6099f0..d08e012a6 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -325,6 +325,11 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
}
if c.config.User != "" {
+ if rootless.IsRootless() {
+ if err := util.CheckRootlessUIDRange(execUser.Uid); err != nil {
+ return nil, err
+ }
+ }
// User and Group must go together
g.SetProcessUID(uint32(execUser.Uid))
g.SetProcessGID(uint32(execUser.Gid))
diff --git a/pkg/util/utils_linux.go b/pkg/util/utils_linux.go
index 288137ca5..5e4dc4a51 100644
--- a/pkg/util/utils_linux.go
+++ b/pkg/util/utils_linux.go
@@ -6,6 +6,7 @@ import (
"path/filepath"
"syscall"
+ "github.com/containers/libpod/pkg/rootless"
"github.com/containers/psgo"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
@@ -52,3 +53,18 @@ func FindDeviceNodes() (map[string]string, error) {
return nodes, nil
}
+
+// CheckRootlessUIDRange checks the uid within the rootless container is in the range from /etc/subuid
+func CheckRootlessUIDRange(uid int) error {
+ uids, _, err := rootless.GetConfiguredMappings()
+ if err != nil {
+ return err
+ }
+ for _, u := range uids {
+ // add 1 since we also map in the user's own UID
+ if uid > u.Size+1 {
+ return errors.Errorf("requested user's UID %d is too large for the rootless user namespace", uid)
+ }
+ }
+ return nil
+}
diff --git a/pkg/util/utils_unsupported.go b/pkg/util/utils_unsupported.go
index 62805d7c8..f8d5a37c1 100644
--- a/pkg/util/utils_unsupported.go
+++ b/pkg/util/utils_unsupported.go
@@ -10,3 +10,8 @@ import (
func FindDeviceNodes() (map[string]string, error) {
return nil, errors.Errorf("not supported on non-Linux OSes")
}
+
+// CheckRootlessUIDRange is not implemented anywhere except Linux.
+func CheckRootlessUIDRange(uid int) error {
+ return nil
+}