diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-07-12 09:15:57 +0200 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-07-12 11:35:03 +0200 |
commit | d74db186a8934a9aaa6af3518c473e2e124b2e02 (patch) | |
tree | 44606bbe849d7b087106942e75ead0c32d1cd50e | |
parent | 144567b42dba2c8c426538a4b5fe7d718b43284a (diff) | |
download | podman-d74db186a8934a9aaa6af3518c473e2e124b2e02.tar.gz podman-d74db186a8934a9aaa6af3518c473e2e124b2e02.tar.bz2 podman-d74db186a8934a9aaa6af3518c473e2e124b2e02.zip |
spec: fix userns with less than 5 gids
when the container is running in a user namespace, check if gid=5 is
available, otherwise drop the option gid=5 for /dev/pts.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r-- | pkg/spec/spec.go | 36 |
1 files changed, 27 insertions, 9 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 5cc021bf5..44417ea9c 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -80,23 +80,41 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM g.AddLinuxMaskedPaths("/sys/kernel") } } + gid5Available := true if isRootless { nGids, err := getAvailableGids() if err != nil { return nil, err } - if nGids < 5 { - // If we have no GID mappings, the gid=5 default option would fail, so drop it. - g.RemoveMount("/dev/pts") - devPts := spec.Mount{ - Destination: "/dev/pts", - Type: "devpts", - Source: "devpts", - Options: []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}, + gid5Available = nGids >= 5 + } + // When using a different user namespace, check that the GID 5 is mapped inside + // the container. + if gid5Available && len(config.IDMappings.GIDMap) > 0 { + mappingFound := false + for _, r := range config.IDMappings.GIDMap { + if r.ContainerID <= 5 && 5 < r.ContainerID+r.Size { + mappingFound = true + break } - g.AddMount(devPts) } + if !mappingFound { + gid5Available = false + } + } + if !gid5Available { + // If we have no GID mappings, the gid=5 default option would fail, so drop it. + g.RemoveMount("/dev/pts") + devPts := spec.Mount{ + Destination: "/dev/pts", + Type: "devpts", + Source: "devpts", + Options: []string{"rprivate", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}, + } + g.AddMount(devPts) + } + if inUserNS && config.IpcMode.IsHost() { g.RemoveMount("/dev/mqueue") devMqueue := spec.Mount{ |