aboutsummaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2018-08-23 23:02:04 +0200
committerAtomic Bot <atomic-devel@projectatomic.io>2018-08-26 07:22:42 +0000
commit720eb85ba55d8c825262e9b2e058ec8a8e0e4d9f (patch)
tree73ef0abad027bc6bffe97d75b6936b8c7562cca8 /libpod
parent1ac4dbb50861d502cb819c63335848a60ffa7dec (diff)
downloadpodman-720eb85ba55d8c825262e9b2e058ec8a8e0e4d9f.tar.gz
podman-720eb85ba55d8c825262e9b2e058ec8a8e0e4d9f.tar.bz2
podman-720eb85ba55d8c825262e9b2e058ec8a8e0e4d9f.zip
rootless: fix exec
We cannot re-exec into a new user namespace to gain privileges and access an existing as the new namespace is not the owner of the existing container. "unshare" is used to join the user namespace of the target container. The current implementation assumes that the main process of the container didn't create a new user namespace. Since in the setup phase we are not running with euid=0, we must skip the setup for containers/storage. Closes: https://github.com/containers/libpod/issues/1329 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1331 Approved by: rhatdan
Diffstat (limited to 'libpod')
-rw-r--r--libpod/oci.go6
-rw-r--r--libpod/runtime.go19
2 files changed, 19 insertions, 6 deletions
diff --git a/libpod/oci.go b/libpod/oci.go
index 9021a522b..da054eceb 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -681,6 +681,12 @@ func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty
logrus.Debugf("Starting runtime %s with following arguments: %v", r.path, args)
execCmd := exec.Command(r.path, args...)
+ if rootless.IsRootless() {
+ args = append([]string{"--preserve-credentials", "-U", "-t", fmt.Sprintf("%d", c.state.PID), r.path}, args...)
+ // using nsenter might not be correct if the target PID joined a different user namespace.
+ // A better way would be to retrieve the parent ns (NS_GET_PARENT) until it is a child of the current namespace.
+ execCmd = exec.Command("nsenter", args...)
+ }
execCmd.Stdout = os.Stdout
execCmd.Stderr = os.Stderr
execCmd.Stdin = os.Stdin
diff --git a/libpod/runtime.go b/libpod/runtime.go
index adeb901f2..2df4ef760 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -405,9 +405,14 @@ func makeRuntime(runtime *Runtime) (err error) {
}
// Set up containers/storage
- store, err := storage.GetStore(runtime.config.StorageConfig)
- if err != nil {
- return err
+ var store storage.Store
+ if rootless.SkipStorageSetup() {
+ logrus.Debug("Not configuring container store")
+ } else {
+ store, err = storage.GetStore(runtime.config.StorageConfig)
+ if err != nil {
+ return err
+ }
}
runtime.store = store
@@ -424,7 +429,7 @@ func makeRuntime(runtime *Runtime) (err error) {
// Setting signaturepolicypath
ir.SignaturePolicyPath = runtime.config.SignaturePolicyPath
defer func() {
- if err != nil {
+ if err != nil && store != nil {
// Don't forcibly shut down
// We could be opening a store in use by another libpod
_, err2 := store.Shutdown(false)
@@ -611,8 +616,10 @@ func (r *Runtime) Shutdown(force bool) error {
}
var lastError error
- if _, err := r.store.Shutdown(force); err != nil {
- lastError = errors.Wrapf(err, "Error shutting down container storage")
+ if r.store != nil {
+ if _, err := r.store.Shutdown(force); err != nil {
+ lastError = errors.Wrapf(err, "Error shutting down container storage")
+ }
}
if err := r.state.Close(); err != nil {
if lastError != nil {