diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2018-07-13 14:15:54 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-07-13 14:15:54 -0400 |
commit | 673465a7475f2c4ed6bfe06c481ecc99a2510c30 (patch) | |
tree | 9552b4b7e5956fbb798bf9d77820c7d30035a8c3 /pkg/rootless | |
parent | 827359c8e6b116b839a95460cc1775a11f84b682 (diff) | |
parent | 62e48e5b71abe3002361bbf018961f8031fba03e (diff) | |
download | podman-673465a7475f2c4ed6bfe06c481ecc99a2510c30.tar.gz podman-673465a7475f2c4ed6bfe06c481ecc99a2510c30.tar.bz2 podman-673465a7475f2c4ed6bfe06c481ecc99a2510c30.zip |
Merge pull request #1075 from giuseppe/rootless-no-symlinks-into-storage-path
rootless: fix usage on Fedora Silverblue/CoreOS
Diffstat (limited to 'pkg/rootless')
-rw-r--r-- | pkg/rootless/rootless_linux.c | 6 | ||||
-rw-r--r-- | pkg/rootless/rootless_linux.go | 31 | ||||
-rw-r--r-- | pkg/rootless/rootless_unsupported.go | 4 |
3 files changed, 22 insertions, 19 deletions
diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c index f2684f75f..d08c6c875 100644 --- a/pkg/rootless/rootless_linux.c +++ b/pkg/rootless/rootless_linux.c @@ -105,16 +105,16 @@ reexec_in_user_namespace(int ready) ret = read (ready, &b, 1) < 0; while (ret < 0 && errno == EINTR); if (ret < 0) - _exit (1); + _exit (EXIT_FAILURE); close (ready); if (setresgid (0, 0, 0) < 0 || setresuid (0, 0, 0) < 0) - _exit (1); + _exit (EXIT_FAILURE); execvp (argv[0], argv); - _exit (1); + _exit (EXIT_FAILURE); } int diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index 55a55bbc6..6089ad73a 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -67,14 +67,16 @@ func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap) return cmd.Run() } -// BecomeRootInUserNS re-exec podman in a new userNS -func BecomeRootInUserNS() (bool, error) { - +// BecomeRootInUserNS re-exec podman in a new userNS. It returns whether podman was re-executed +// into a new user namespace and the return code from the re-executed podman process. +// If podman was re-executed the caller needs to propagate the error code returned by the child +// process. +func BecomeRootInUserNS() (bool, int, error) { if os.Getuid() == 0 || os.Getenv("_LIBPOD_USERNS_CONFIGURED") != "" { if os.Getenv("_LIBPOD_USERNS_CONFIGURED") == "init" { - return false, runInUser() + return false, 0, runInUser() } - return false, nil + return false, 0, nil } runtime.LockOSThread() @@ -82,7 +84,7 @@ func BecomeRootInUserNS() (bool, error) { r, w, err := os.Pipe() if err != nil { - return false, err + return false, -1, err } defer r.Close() defer w.Close() @@ -90,13 +92,13 @@ func BecomeRootInUserNS() (bool, error) { pidC := C.reexec_in_user_namespace(C.int(r.Fd())) pid := int(pidC) if pid < 0 { - return false, errors.Errorf("cannot re-exec process") + return false, -1, errors.Errorf("cannot re-exec process") } setgroups := fmt.Sprintf("/proc/%d/setgroups", pid) err = ioutil.WriteFile(setgroups, []byte("deny\n"), 0666) if err != nil { - return false, errors.Wrapf(err, "cannot write setgroups file") + return false, -1, errors.Wrapf(err, "cannot write setgroups file") } var uids, gids []idtools.IDMap @@ -115,7 +117,7 @@ func BecomeRootInUserNS() (bool, error) { uidMap := fmt.Sprintf("/proc/%d/uid_map", pid) err = ioutil.WriteFile(uidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getuid())), 0666) if err != nil { - return false, errors.Wrapf(err, "cannot write uid_map") + return false, -1, errors.Wrapf(err, "cannot write uid_map") } } @@ -127,13 +129,13 @@ func BecomeRootInUserNS() (bool, error) { gidMap := fmt.Sprintf("/proc/%d/gid_map", pid) err = ioutil.WriteFile(gidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getgid())), 0666) if err != nil { - return false, errors.Wrapf(err, "cannot write gid_map") + return false, -1, errors.Wrapf(err, "cannot write gid_map") } } _, err = w.Write([]byte("1")) if err != nil { - return false, errors.Wrapf(err, "write to sync pipe") + return false, -1, errors.Wrapf(err, "write to sync pipe") } c := make(chan os.Signal, 1) @@ -150,9 +152,10 @@ func BecomeRootInUserNS() (bool, error) { } }() - if C.reexec_in_user_namespace_wait(pidC) < 0 { - return false, errors.Wrapf(err, "error waiting for the re-exec process") + ret := C.reexec_in_user_namespace_wait(pidC) + if ret < 0 { + return false, -1, errors.Wrapf(err, "error waiting for the re-exec process") } - return true, nil + return true, int(ret), nil } diff --git a/pkg/rootless/rootless_unsupported.go b/pkg/rootless/rootless_unsupported.go index a6efa73f5..b1f075045 100644 --- a/pkg/rootless/rootless_unsupported.go +++ b/pkg/rootless/rootless_unsupported.go @@ -13,8 +13,8 @@ func IsRootless() bool { // BecomeRootInUserNS is a stub function that always returns false and an // error on unsupported OS's -func BecomeRootInUserNS() (bool, error) { - return false, errors.New("this function is not supported on this os") +func BecomeRootInUserNS() (bool, int, error) { + return false, -1, errors.New("this function is not supported on this os") } // GetRootlessUID returns the UID of the user in the parent userNS |