diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2020-01-14 13:23:59 +0100 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2020-01-14 14:45:14 +0100 |
commit | 68185048cf528b8dd2fec64f0c958c3cf58f1ae1 (patch) | |
tree | 0ec802a7685086db9e142384a9a75c204de5ed4b | |
parent | 79ec2a9a6d5d39d4f0b6253395b2434d70ba174d (diff) | |
download | podman-68185048cf528b8dd2fec64f0c958c3cf58f1ae1.tar.gz podman-68185048cf528b8dd2fec64f0c958c3cf58f1ae1.tar.bz2 podman-68185048cf528b8dd2fec64f0c958c3cf58f1ae1.zip |
oci_conmon: not make accessible dirs if not needed
do not change the permissions mask for the rundir and the tmpdir when
running a container with a user namespace and the current user is
mapped inside the user namespace.
The change was introduced with
849548ffb8e958e901317eceffdcc2d918cafd8d, that dropped the
intermediate mount namespace in favor of allowing root into the user
namespace to access these directories.
Closes: https://github.com/containers/libpod/issues/4846
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r-- | libpod/oci_conmon_linux.go | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 7cc43abc0..5ab0e73c4 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -149,9 +149,23 @@ func (r *ConmonOCIRuntime) Path() string { return r.path } +// hasCurrentUserMapped checks whether the current user is mapped inside the container user namespace +func hasCurrentUserMapped(ctr *Container) bool { + if len(ctr.config.IDMappings.UIDMap) == 0 && len(ctr.config.IDMappings.GIDMap) == 0 { + return true + } + uid := os.Geteuid() + for _, m := range ctr.config.IDMappings.UIDMap { + if uid >= m.HostID && uid < m.HostID+m.Size { + return true + } + } + return false +} + // CreateContainer creates a container. func (r *ConmonOCIRuntime) CreateContainer(ctr *Container, restoreOptions *ContainerCheckpointOptions) (err error) { - if len(ctr.config.IDMappings.UIDMap) != 0 || len(ctr.config.IDMappings.GIDMap) != 0 { + if !hasCurrentUserMapped(ctr) { for _, i := range []string{ctr.state.RunDir, ctr.runtime.config.TmpDir, ctr.config.StaticDir, ctr.state.Mountpoint, ctr.runtime.config.VolumePath} { if err := makeAccessible(i, ctr.RootUID(), ctr.RootGID()); err != nil { return err |