summaryrefslogtreecommitdiff
path: root/pkg/rootless/rootless_linux.go
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2022-04-08 13:04:51 -0400
committerGitHub <noreply@github.com>2022-04-08 13:04:51 -0400
commit1d01815c107c91f6cfe98446d334c94a97d11080 (patch)
tree677332395db7e550c43b0a2acc485c4a5939ae50 /pkg/rootless/rootless_linux.go
parent343778f61ac38f0597cfbad38ace644035340f22 (diff)
parent2508913a0f5d531d9c965f695b8b19dfb23882c7 (diff)
downloadpodman-1d01815c107c91f6cfe98446d334c94a97d11080.tar.gz
podman-1d01815c107c91f6cfe98446d334c94a97d11080.tar.bz2
podman-1d01815c107c91f6cfe98446d334c94a97d11080.zip
Merge pull request #13794 from rhatdan/newuidmap
If newuidmap or newgidmap fail, then check their permissions
Diffstat (limited to 'pkg/rootless/rootless_linux.go')
-rw-r--r--pkg/rootless/rootless_linux.go15
1 files changed, 14 insertions, 1 deletions
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index cff6de5a3..e4d89294e 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -25,6 +25,7 @@ import (
"github.com/containers/storage/pkg/unshare"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
+ "github.com/syndtr/gocapability/capability"
"golang.org/x/sys/unix"
)
@@ -114,8 +115,14 @@ func GetRootlessGID() int {
func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) error {
var tool = "newuidmap"
+ mode := os.ModeSetuid
+ cap := capability.CAP_SETUID
+ idtype := "setuid"
if !uid {
tool = "newgidmap"
+ mode = os.ModeSetgid
+ cap = capability.CAP_SETGID
+ idtype = "setgid"
}
path, err := exec.LookPath(tool)
if err != nil {
@@ -147,7 +154,13 @@ func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) err
if output, err := cmd.CombinedOutput(); err != nil {
logrus.Errorf("running `%s`: %s", strings.Join(args, " "), output)
- return errors.Wrapf(err, "cannot setup namespace using %q", path)
+ errorStr := fmt.Sprintf("cannot setup namespace using %q", path)
+ if isSet, err := unshare.IsSetID(cmd.Path, mode, cap); err != nil {
+ logrus.Errorf("Failed to check for %s on %s: %v", idtype, path, err)
+ } else if !isSet {
+ errorStr = fmt.Sprintf("%s: should have %s or have filecaps %s", errorStr, idtype, idtype)
+ }
+ return errors.Wrapf(err, errorStr)
}
return nil
}