Enforce namespace checks on container add

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/libpod/in_memory_state.go b/libpod/in_memory_state.go
index 265170284..55be89d4c 100644
--- a/libpod/in_memory_state.go
+++ b/libpod/in_memory_state.go
@@ -172,6 +172,10 @@ func (s *InMemoryState) AddContainer(ctr *Container) error {
 		return errors.Wrapf(ErrInvalidArg, "cannot add a container that is in a pod with AddContainer, use AddContainerToPod")
 	}
 
+	if err := s.checkNSMatch(ctr.ID(), ctr.Namespace()); err != nil {
+		return err
+	}
+
 	// There are potential race conditions with this
 	// But in-memory state is intended purely for testing and not production
 	// use, so this should be fine.
@@ -692,6 +696,10 @@ func (s *InMemoryState) AddContainerToPod(pod *Pod, ctr *Container) error {
 			ctr.ID(), ctr.config.Namespace, pod.ID(), pod.config.Namespace)
 	}
 
+	if err := s.checkNSMatch(ctr.ID(), ctr.Namespace()); err != nil {
+		return err
+	}
+
 	// Retrieve pod containers list
 	podCtrs, ok := s.podContainers[pod.ID()]
 	if !ok {