Preserve passwd on container restart

We added code to create a `/etc/passwd` file that we bind-mount
into the container in some cases (most notably,
`--userns=keep-id` containers). This, unfortunately, was not
persistent, so user-added users would be dropped on container
restart. Changing where we store the file should fix this.

Further, we want to ensure that lookups of users in the container
use the right /etc/passwd if we replaced it. There was already
logic to do this, but it only worked for user-added mounts; it's
easy enough to alter it to use our mounts as well.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>

1 files changed, 26 insertions, 0 deletions

diff --git a/libpod/util.go b/libpod/util.go
index 8c2d946ba..a8d405b5f 100644
--- a/libpod/util.go
+++ b/libpod/util.go
@@ -18,6 +18,7 @@ import (
 	"github.com/cri-o/ocicni/pkg/ocicni"
 	"github.com/fsnotify/fsnotify"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -273,3 +274,28 @@ func makeInspectPortBindings(bindings []ocicni.PortMapping) map[string][]define.
 	}
 	return portBindings
 }
+
+// Write a given string to a new file at a given path.
+// Will error if a file with the given name already exists.
+// Will be chown'd to the UID/GID provided and have the provided SELinux label
+// set.
+func writeStringToPath(path, contents, mountLabel string, uid, gid int) error {
+	f, err := os.Create(path)
+	if err != nil {
+		return errors.Wrapf(err, "unable to create %s", path)
+	}
+	defer f.Close()
+	if err := f.Chown(uid, gid); err != nil {
+		return err
+	}
+
+	if _, err := f.WriteString(contents); err != nil {
+		return errors.Wrapf(err, "unable to write %s", path)
+	}
+	// Relabel runDirResolv for the container
+	if err := label.Relabel(path, mountLabel, false); err != nil {
+		return err
+	}
+
+	return nil
+}