diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2018-12-12 11:56:19 +0100 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2018-12-12 11:57:30 +0100 |
commit | a609e026a5f58d935a25e558480ed314783062fc (patch) | |
tree | f97444d165e8acdfdf12082eab0500d267b07386 /cmd/podman | |
parent | 8a3361f46c87933aff04c9acaaf48b7c130bc9d8 (diff) | |
download | podman-a609e026a5f58d935a25e558480ed314783062fc.tar.gz podman-a609e026a5f58d935a25e558480ed314783062fc.tar.bz2 podman-a609e026a5f58d935a25e558480ed314783062fc.zip |
mount: allow mount only when using vfs
when using a driver different than vfs, the mount is probably in a
different mount namespace thus not accessible from the host. Avoid
the confusion by not allowing mount when a different driver is used.
Closes: https://github.com/containers/libpod/issues/1964
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'cmd/podman')
-rw-r--r-- | cmd/podman/main.go | 1 | ||||
-rw-r--r-- | cmd/podman/mount.go | 21 |
2 files changed, 22 insertions, 0 deletions
diff --git a/cmd/podman/main.go b/cmd/podman/main.go index 796b0b03a..2db6c5dec 100644 --- a/cmd/podman/main.go +++ b/cmd/podman/main.go @@ -34,6 +34,7 @@ var cmdsNotRequiringRootless = map[string]bool{ // If this change, please also update libpod.refreshRootless() "login": true, "logout": true, + "mount": true, "kill": true, "pause": true, "restart": true, diff --git a/cmd/podman/mount.go b/cmd/podman/mount.go index 585f506cd..c91115597 100644 --- a/cmd/podman/mount.go +++ b/cmd/podman/mount.go @@ -3,9 +3,11 @@ package main import ( js "encoding/json" "fmt" + "os" of "github.com/containers/libpod/cmd/podman/formats" "github.com/containers/libpod/cmd/podman/libpodruntime" + "github.com/containers/libpod/pkg/rootless" "github.com/pkg/errors" "github.com/sirupsen/logrus" "github.com/urfave/cli" @@ -52,6 +54,9 @@ func mountCmd(c *cli.Context) error { if err := validateFlags(c, mountFlags); err != nil { return err } + if os.Geteuid() != 0 { + rootless.SetSkipStorageSetup(true) + } runtime, err := libpodruntime.GetRuntime(c) if err != nil { @@ -59,6 +64,22 @@ func mountCmd(c *cli.Context) error { } defer runtime.Shutdown(false) + if os.Geteuid() != 0 { + if driver := runtime.GetConfig().StorageConfig.GraphDriverName; driver != "vfs" { + // Do not allow to mount a graphdriver that is not vfs if we are creating the userns as part + // of the mount command. + return fmt.Errorf("cannot mount using driver %s in rootless mode", driver) + } + + became, ret, err := rootless.BecomeRootInUserNS() + if err != nil { + return err + } + if became { + os.Exit(ret) + } + } + formats := map[string]bool{ "": true, of.JSONString: true, |