diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-01-15 12:45:15 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-01-15 12:45:15 +0100 |
commit | d914cc231a0b1b27f2f29dabc58bcb1b88e12822 (patch) | |
tree | 25dc5f157ca86d75f545109bfc316e6cdd7551b2 | |
parent | 12aa9caf97bdcb6dc71a8c94c4875f9e0e87022a (diff) | |
parent | 68185048cf528b8dd2fec64f0c958c3cf58f1ae1 (diff) | |
download | podman-d914cc231a0b1b27f2f29dabc58bcb1b88e12822.tar.gz podman-d914cc231a0b1b27f2f29dabc58bcb1b88e12822.tar.bz2 podman-d914cc231a0b1b27f2f29dabc58bcb1b88e12822.zip |
Merge pull request #4859 from giuseppe/not-change-permission-for-rundir-tmpdir
oci_conmon: not make accessible dirs if not needed
-rw-r--r-- | libpod/oci_conmon_linux.go | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 7cc43abc0..5ab0e73c4 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -149,9 +149,23 @@ func (r *ConmonOCIRuntime) Path() string { return r.path } +// hasCurrentUserMapped checks whether the current user is mapped inside the container user namespace +func hasCurrentUserMapped(ctr *Container) bool { + if len(ctr.config.IDMappings.UIDMap) == 0 && len(ctr.config.IDMappings.GIDMap) == 0 { + return true + } + uid := os.Geteuid() + for _, m := range ctr.config.IDMappings.UIDMap { + if uid >= m.HostID && uid < m.HostID+m.Size { + return true + } + } + return false +} + // CreateContainer creates a container. func (r *ConmonOCIRuntime) CreateContainer(ctr *Container, restoreOptions *ContainerCheckpointOptions) (err error) { - if len(ctr.config.IDMappings.UIDMap) != 0 || len(ctr.config.IDMappings.GIDMap) != 0 { + if !hasCurrentUserMapped(ctr) { for _, i := range []string{ctr.state.RunDir, ctr.runtime.config.TmpDir, ctr.config.StaticDir, ctr.state.Mountpoint, ctr.runtime.config.VolumePath} { if err := makeAccessible(i, ctr.RootUID(), ctr.RootGID()); err != nil { return err |