summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2019-02-27 21:50:54 +0100
committerGiuseppe Scrivano <gscrivan@redhat.com>2019-02-27 22:40:38 +0100
commit80bad464f911c236bea121b343d23a8d165fc933 (patch)
treecd28225b03679e2fb08a349df3e6cf635f69a3ba
parentf1f26f444228381224581609a327f13158740923 (diff)
downloadpodman-80bad464f911c236bea121b343d23a8d165fc933.tar.gz
podman-80bad464f911c236bea121b343d23a8d165fc933.tar.bz2
podman-80bad464f911c236bea121b343d23a8d165fc933.zip
secrets: fix fips-mode with user namespaces
When using a user namespace, we create the mount point under `mountPrefix` so that the uid != 0 can access that directory. Change the addFIPSModeSecret code to honor that, and also ensure we are creating the directories with the right ownership. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r--pkg/secrets/secrets.go12
1 files changed, 8 insertions, 4 deletions
diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go
index 242953609..3b64f8952 100644
--- a/pkg/secrets/secrets.go
+++ b/pkg/secrets/secrets.go
@@ -8,6 +8,7 @@ import (
"strings"
"github.com/containers/libpod/pkg/rootless"
+ "github.com/containers/storage/pkg/idtools"
rspec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
@@ -176,7 +177,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
// Add FIPS mode secret if /etc/system-fips exists on the host
_, err := os.Stat("/etc/system-fips")
if err == nil {
- if err := addFIPSModeSecret(&secretMounts, containerWorkingDir); err != nil {
+ if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
logrus.Errorf("error adding FIPS mode secret to container: %v", err)
}
} else if os.IsNotExist(err) {
@@ -264,13 +265,16 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr
// root filesystem if /etc/system-fips exists on hosts.
// This enables the container to be FIPS compliant and run openssl in
// FIPS mode as the host is also in FIPS mode.
-func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error {
+func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
secretsDir := "/run/secrets"
ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
- if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil {
+ if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
return errors.Wrapf(err, "making container directory on host failed")
}
+ if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
+ return errors.Wrap(err, "error applying correct labels")
+ }
}
fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
// In the event of restart, it is possible for the FIPS mode file to already exist
@@ -284,7 +288,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error
if !mountExists(*mounts, secretsDir) {
m := rspec.Mount{
- Source: ctrDirOnHost,
+ Source: filepath.Join(mountPrefix, secretsDir),
Destination: secretsDir,
Type: "bind",
Options: []string{"bind", "rprivate"},