diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2021-11-11 20:47:42 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-11 20:47:42 +0100 |
commit | d6d89fa79f1cb785e2f3f6b8d2295b97b19066e9 (patch) | |
tree | ea516158cecf7c70bba163537f75d3d9c1f47c54 /libpod/container_internal.go | |
parent | 69d2e78b3bb328535e70fa7845cbea86355ceafb (diff) | |
parent | 9f4d63f91bba116d2deb85a0af041611d0b85082 (diff) | |
download | podman-d6d89fa79f1cb785e2f3f6b8d2295b97b19066e9.tar.gz podman-d6d89fa79f1cb785e2f3f6b8d2295b97b19066e9.tar.bz2 podman-d6d89fa79f1cb785e2f3f6b8d2295b97b19066e9.zip |
Merge pull request #12267 from giuseppe/safely-create-etc-mtab
libpod: create /etc/mtab safely
Diffstat (limited to 'libpod/container_internal.go')
-rw-r--r-- | libpod/container_internal.go | 46 |
1 files changed, 41 insertions, 5 deletions
diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 64fe99132..de23a4aeb 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -39,6 +39,7 @@ import ( "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/sirupsen/logrus" + "golang.org/x/sys/unix" ) const ( @@ -1592,14 +1593,49 @@ func (c *Container) mountStorage() (_ string, deferredErr error) { }() } + rootUID, rootGID := c.RootUID(), c.RootGID() + + dirfd, err := unix.Open(mountPoint, unix.O_RDONLY|unix.O_PATH, 0) + if err != nil { + return "", errors.Wrap(err, "open mount point") + } + defer unix.Close(dirfd) + + err = unix.Mkdirat(dirfd, "etc", 0755) + if err != nil && !os.IsExist(err) { + return "", errors.Wrap(err, "create /etc") + } + // If the etc directory was created, chown it to root in the container + if err == nil && (rootUID != 0 || rootGID != 0) { + err = unix.Fchownat(dirfd, "etc", rootUID, rootGID, unix.AT_SYMLINK_NOFOLLOW) + if err != nil { + return "", errors.Wrap(err, "chown /etc") + } + } + + etcInTheContainerPath, err := securejoin.SecureJoin(mountPoint, "etc") + if err != nil { + return "", errors.Wrap(err, "resolve /etc in the container") + } + + etcInTheContainerFd, err := unix.Open(etcInTheContainerPath, unix.O_RDONLY|unix.O_PATH, 0) + if err != nil { + return "", errors.Wrap(err, "open /etc in the container") + } + defer unix.Close(etcInTheContainerFd) + // If /etc/mtab does not exist in container image, then we need to // create it, so that mount command within the container will work. - mtab := filepath.Join(mountPoint, "/etc/mtab") - if err := idtools.MkdirAllAs(filepath.Dir(mtab), 0755, c.RootUID(), c.RootGID()); err != nil { - return "", errors.Wrap(err, "error creating mtab directory") + err = unix.Symlinkat("/proc/mounts", etcInTheContainerFd, "mtab") + if err != nil && !os.IsExist(err) { + return "", errors.Wrap(err, "creating /etc/mtab symlink") } - if err = os.Symlink("/proc/mounts", mtab); err != nil && !os.IsExist(err) { - return "", err + // If the symlink was created, then also chown it to root in the container + if err == nil && (rootUID != 0 || rootGID != 0) { + err = unix.Fchownat(etcInTheContainerFd, "mtab", rootUID, rootGID, unix.AT_SYMLINK_NOFOLLOW) + if err != nil { + return "", errors.Wrap(err, "chown /etc/mtab") + } } // Request a mount of all named volumes |