diff options
| author | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-02-27 21:50:54 +0100 |
|---|---|---|
| committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-02-27 22:40:38 +0100 |
| commit | 80bad464f911c236bea121b343d23a8d165fc933 (patch) | |
| tree | cd28225b03679e2fb08a349df3e6cf635f69a3ba | |
| parent | f1f26f444228381224581609a327f13158740923 (diff) | |
| download | podman-80bad464f911c236bea121b343d23a8d165fc933.tar.gz podman-80bad464f911c236bea121b343d23a8d165fc933.tar.bz2 podman-80bad464f911c236bea121b343d23a8d165fc933.zip | |
secrets: fix fips-mode with user namespaces
When using a user namespace, we create the mount point under
`mountPrefix` so that the uid != 0 can access that directory.
Change the addFIPSModeSecret code to honor that, and also ensure we
are creating the directories with the right ownership.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| -rw-r--r-- | pkg/secrets/secrets.go | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go index 242953609..3b64f8952 100644 --- a/pkg/secrets/secrets.go +++ b/pkg/secrets/secrets.go @@ -8,6 +8,7 @@ import ( "strings" "github.com/containers/libpod/pkg/rootless" + "github.com/containers/storage/pkg/idtools" rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" @@ -176,7 +177,7 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre // Add FIPS mode secret if /etc/system-fips exists on the host _, err := os.Stat("/etc/system-fips") if err == nil { - if err := addFIPSModeSecret(&secretMounts, containerWorkingDir); err != nil { + if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil { logrus.Errorf("error adding FIPS mode secret to container: %v", err) } } else if os.IsNotExist(err) { @@ -264,13 +265,16 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr // root filesystem if /etc/system-fips exists on hosts. // This enables the container to be FIPS compliant and run openssl in // FIPS mode as the host is also in FIPS mode. -func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error { +func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error { secretsDir := "/run/secrets" ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir) if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) { - if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil { + if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil { return errors.Wrapf(err, "making container directory on host failed") } + if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil { + return errors.Wrap(err, "error applying correct labels") + } } fipsFile := filepath.Join(ctrDirOnHost, "system-fips") // In the event of restart, it is possible for the FIPS mode file to already exist @@ -284,7 +288,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error if !mountExists(*mounts, secretsDir) { m := rspec.Mount{ - Source: ctrDirOnHost, + Source: filepath.Join(mountPrefix, secretsDir), Destination: secretsDir, Type: "bind", Options: []string{"bind", "rprivate"}, |