summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2020-01-14 13:23:59 +0100
committerGiuseppe Scrivano <gscrivan@redhat.com>2020-01-14 14:45:14 +0100
commit68185048cf528b8dd2fec64f0c958c3cf58f1ae1 (patch)
tree0ec802a7685086db9e142384a9a75c204de5ed4b
parent79ec2a9a6d5d39d4f0b6253395b2434d70ba174d (diff)
downloadpodman-68185048cf528b8dd2fec64f0c958c3cf58f1ae1.tar.gz
podman-68185048cf528b8dd2fec64f0c958c3cf58f1ae1.tar.bz2
podman-68185048cf528b8dd2fec64f0c958c3cf58f1ae1.zip
oci_conmon: not make accessible dirs if not needed
do not change the permissions mask for the rundir and the tmpdir when running a container with a user namespace and the current user is mapped inside the user namespace. The change was introduced with 849548ffb8e958e901317eceffdcc2d918cafd8d, that dropped the intermediate mount namespace in favor of allowing root into the user namespace to access these directories. Closes: https://github.com/containers/libpod/issues/4846 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r--libpod/oci_conmon_linux.go16
1 files changed, 15 insertions, 1 deletions
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index 7cc43abc0..5ab0e73c4 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -149,9 +149,23 @@ func (r *ConmonOCIRuntime) Path() string {
return r.path
}
+// hasCurrentUserMapped checks whether the current user is mapped inside the container user namespace
+func hasCurrentUserMapped(ctr *Container) bool {
+ if len(ctr.config.IDMappings.UIDMap) == 0 && len(ctr.config.IDMappings.GIDMap) == 0 {
+ return true
+ }
+ uid := os.Geteuid()
+ for _, m := range ctr.config.IDMappings.UIDMap {
+ if uid >= m.HostID && uid < m.HostID+m.Size {
+ return true
+ }
+ }
+ return false
+}
+
// CreateContainer creates a container.
func (r *ConmonOCIRuntime) CreateContainer(ctr *Container, restoreOptions *ContainerCheckpointOptions) (err error) {
- if len(ctr.config.IDMappings.UIDMap) != 0 || len(ctr.config.IDMappings.GIDMap) != 0 {
+ if !hasCurrentUserMapped(ctr) {
for _, i := range []string{ctr.state.RunDir, ctr.runtime.config.TmpDir, ctr.config.StaticDir, ctr.state.Mountpoint, ctr.runtime.config.VolumePath} {
if err := makeAccessible(i, ctr.RootUID(), ctr.RootGID()); err != nil {
return err