summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2020-07-30 21:44:53 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2020-07-30 23:16:50 +0200
commitd188b2fe2272212f835f5b1ccb68278535b59803 (patch)
tree01826b4eb22d1c98733280f6f66cb76ed774bcbb
parentd86ef45441635bf12a9ba78ace91050622a5eac3 (diff)
downloadpodman-d188b2fe2272212f835f5b1ccb68278535b59803.tar.gz
podman-d188b2fe2272212f835f5b1ccb68278535b59803.tar.bz2
podman-d188b2fe2272212f835f5b1ccb68278535b59803.zip
rootless: add a check for the host id included in the range
add a check to verify whether the additional IDs also contain the host ID. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r--pkg/rootless/rootless_linux.go19
1 files changed, 16 insertions, 3 deletions
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index fc4393927..ccc8a1d94 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -97,7 +97,11 @@ func GetRootlessGID() int {
return os.Getegid()
}
-func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap) error {
+func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) error {
+ var tool = "newuidmap"
+ if !uid {
+ tool = "newgidmap"
+ }
path, err := exec.LookPath(tool)
if err != nil {
return errors.Wrapf(err, "cannot find %s", tool)
@@ -110,6 +114,15 @@ func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap)
args := []string{path, fmt.Sprintf("%d", pid)}
args = appendTriplet(args, 0, hostID, 1)
for _, i := range mappings {
+ if hostID >= i.HostID && hostID < i.HostID+i.Size {
+ what := "UID"
+ where := "/etc/subuid"
+ if !uid {
+ what = "GID"
+ where = "/etc/subgid"
+ }
+ return errors.Errorf("invalid configuration: the specified mapping %d:%d in %q includes the user %s", i.HostID, i.Size, where, what)
+ }
args = appendTriplet(args, i.ContainerID+1, i.HostID, i.Size)
}
cmd := exec.Cmd{
@@ -227,7 +240,7 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo
uidsMapped := false
if uids != nil {
- err := tryMappingTool("newuidmap", pid, os.Geteuid(), uids)
+ err := tryMappingTool(true, pid, os.Geteuid(), uids)
// If some mappings were specified, do not ignore the error
if err != nil && len(uids) > 0 {
return false, -1, err
@@ -253,7 +266,7 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo
gidsMapped := false
if gids != nil {
- err := tryMappingTool("newgidmap", pid, os.Getegid(), gids)
+ err := tryMappingTool(false, pid, os.Getegid(), gids)
// If some mappings were specified, do not ignore the error
if err != nil && len(gids) > 0 {
return false, -1, err