diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2020-07-30 21:44:53 +0200 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2020-07-30 23:16:50 +0200 |
commit | d188b2fe2272212f835f5b1ccb68278535b59803 (patch) | |
tree | 01826b4eb22d1c98733280f6f66cb76ed774bcbb /pkg/rootless | |
parent | d86ef45441635bf12a9ba78ace91050622a5eac3 (diff) | |
download | podman-d188b2fe2272212f835f5b1ccb68278535b59803.tar.gz podman-d188b2fe2272212f835f5b1ccb68278535b59803.tar.bz2 podman-d188b2fe2272212f835f5b1ccb68278535b59803.zip |
rootless: add a check for the host id included in the range
add a check to verify whether the additional IDs also contain the host
ID.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg/rootless')
-rw-r--r-- | pkg/rootless/rootless_linux.go | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index fc4393927..ccc8a1d94 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -97,7 +97,11 @@ func GetRootlessGID() int { return os.Getegid() } -func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap) error { +func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) error { + var tool = "newuidmap" + if !uid { + tool = "newgidmap" + } path, err := exec.LookPath(tool) if err != nil { return errors.Wrapf(err, "cannot find %s", tool) @@ -110,6 +114,15 @@ func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap) args := []string{path, fmt.Sprintf("%d", pid)} args = appendTriplet(args, 0, hostID, 1) for _, i := range mappings { + if hostID >= i.HostID && hostID < i.HostID+i.Size { + what := "UID" + where := "/etc/subuid" + if !uid { + what = "GID" + where = "/etc/subgid" + } + return errors.Errorf("invalid configuration: the specified mapping %d:%d in %q includes the user %s", i.HostID, i.Size, where, what) + } args = appendTriplet(args, i.ContainerID+1, i.HostID, i.Size) } cmd := exec.Cmd{ @@ -227,7 +240,7 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo uidsMapped := false if uids != nil { - err := tryMappingTool("newuidmap", pid, os.Geteuid(), uids) + err := tryMappingTool(true, pid, os.Geteuid(), uids) // If some mappings were specified, do not ignore the error if err != nil && len(uids) > 0 { return false, -1, err @@ -253,7 +266,7 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo gidsMapped := false if gids != nil { - err := tryMappingTool("newgidmap", pid, os.Getegid(), gids) + err := tryMappingTool(false, pid, os.Getegid(), gids) // If some mappings were specified, do not ignore the error if err != nil && len(gids) > 0 { return false, -1, err |