summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2020-01-15 12:45:15 +0100
committerGitHub <noreply@github.com>2020-01-15 12:45:15 +0100
commitd914cc231a0b1b27f2f29dabc58bcb1b88e12822 (patch)
tree25dc5f157ca86d75f545109bfc316e6cdd7551b2
parent12aa9caf97bdcb6dc71a8c94c4875f9e0e87022a (diff)
parent68185048cf528b8dd2fec64f0c958c3cf58f1ae1 (diff)
downloadpodman-d914cc231a0b1b27f2f29dabc58bcb1b88e12822.tar.gz
podman-d914cc231a0b1b27f2f29dabc58bcb1b88e12822.tar.bz2
podman-d914cc231a0b1b27f2f29dabc58bcb1b88e12822.zip
Merge pull request #4859 from giuseppe/not-change-permission-for-rundir-tmpdir
oci_conmon: not make accessible dirs if not needed
-rw-r--r--libpod/oci_conmon_linux.go16
1 files changed, 15 insertions, 1 deletions
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index 7cc43abc0..5ab0e73c4 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -149,9 +149,23 @@ func (r *ConmonOCIRuntime) Path() string {
return r.path
}
+// hasCurrentUserMapped checks whether the current user is mapped inside the container user namespace
+func hasCurrentUserMapped(ctr *Container) bool {
+ if len(ctr.config.IDMappings.UIDMap) == 0 && len(ctr.config.IDMappings.GIDMap) == 0 {
+ return true
+ }
+ uid := os.Geteuid()
+ for _, m := range ctr.config.IDMappings.UIDMap {
+ if uid >= m.HostID && uid < m.HostID+m.Size {
+ return true
+ }
+ }
+ return false
+}
+
// CreateContainer creates a container.
func (r *ConmonOCIRuntime) CreateContainer(ctr *Container, restoreOptions *ContainerCheckpointOptions) (err error) {
- if len(ctr.config.IDMappings.UIDMap) != 0 || len(ctr.config.IDMappings.GIDMap) != 0 {
+ if !hasCurrentUserMapped(ctr) {
for _, i := range []string{ctr.state.RunDir, ctr.runtime.config.TmpDir, ctr.config.StaticDir, ctr.state.Mountpoint, ctr.runtime.config.VolumePath} {
if err := makeAccessible(i, ctr.RootUID(), ctr.RootGID()); err != nil {
return err