userns: use the intermediate mountns for volumes

when --uidmap is used, the user won't be able to access
/var/lib/containers/storage/volumes.  Use the intermediate mount
namespace, that is accessible to root in the container, for mounting
the volumes inside the container.

Closes: https://github.com/containers/libpod/issues/2713

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

1 files changed, 9 insertions, 1 deletions

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 2a7808bdf..c6c9ceb0c 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -203,7 +203,8 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 	}
 	// Check if the spec file mounts contain the label Relabel flags z or Z.
 	// If they do, relabel the source directory and then remove the option.
-	for _, m := range g.Mounts() {
+	for i := range g.Config.Mounts {
+		m := &g.Config.Mounts[i]
 		var options []string
 		for _, o := range m.Options {
 			switch o {
@@ -219,6 +220,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 			}
 		}
 		m.Options = options
+
+		// If we are using a user namespace, we will use an intermediate
+		// directory to bind mount volumes
+		if c.state.UserNSRoot != "" && strings.HasPrefix(m.Source, c.runtime.config.VolumePath) {
+			newSourceDir := filepath.Join(c.state.UserNSRoot, "volumes")
+			m.Source = strings.Replace(m.Source, c.runtime.config.VolumePath, newSourceDir, 1)
+		}
 	}
 
 	g.SetProcessSelinuxLabel(c.ProcessLabel())