diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2022-04-08 13:04:51 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-04-08 13:04:51 -0400 |
commit | 1d01815c107c91f6cfe98446d334c94a97d11080 (patch) | |
tree | 677332395db7e550c43b0a2acc485c4a5939ae50 /pkg/rootless/rootless_linux.go | |
parent | 343778f61ac38f0597cfbad38ace644035340f22 (diff) | |
parent | 2508913a0f5d531d9c965f695b8b19dfb23882c7 (diff) | |
download | podman-1d01815c107c91f6cfe98446d334c94a97d11080.tar.gz podman-1d01815c107c91f6cfe98446d334c94a97d11080.tar.bz2 podman-1d01815c107c91f6cfe98446d334c94a97d11080.zip |
Merge pull request #13794 from rhatdan/newuidmap
If newuidmap or newgidmap fail, then check their permissions
Diffstat (limited to 'pkg/rootless/rootless_linux.go')
-rw-r--r-- | pkg/rootless/rootless_linux.go | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index cff6de5a3..e4d89294e 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -25,6 +25,7 @@ import ( "github.com/containers/storage/pkg/unshare" "github.com/pkg/errors" "github.com/sirupsen/logrus" + "github.com/syndtr/gocapability/capability" "golang.org/x/sys/unix" ) @@ -114,8 +115,14 @@ func GetRootlessGID() int { func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) error { var tool = "newuidmap" + mode := os.ModeSetuid + cap := capability.CAP_SETUID + idtype := "setuid" if !uid { tool = "newgidmap" + mode = os.ModeSetgid + cap = capability.CAP_SETGID + idtype = "setgid" } path, err := exec.LookPath(tool) if err != nil { @@ -147,7 +154,13 @@ func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) err if output, err := cmd.CombinedOutput(); err != nil { logrus.Errorf("running `%s`: %s", strings.Join(args, " "), output) - return errors.Wrapf(err, "cannot setup namespace using %q", path) + errorStr := fmt.Sprintf("cannot setup namespace using %q", path) + if isSet, err := unshare.IsSetID(cmd.Path, mode, cap); err != nil { + logrus.Errorf("Failed to check for %s on %s: %v", idtype, path, err) + } else if !isSet { + errorStr = fmt.Sprintf("%s: should have %s or have filecaps %s", errorStr, idtype, idtype) + } + return errors.Wrapf(err, errorStr) } return nil } |