aboutsummaryrefslogtreecommitdiff
path: root/pkg/specgen/namespaces.go
diff options
context:
space:
mode:
authorMatthew Heon <mheon@redhat.com>2022-09-02 13:40:29 -0400
committerMatthew Heon <mheon@redhat.com>2022-09-06 15:09:27 -0400
commit5cb27f3c85e517954e81f129deb0e492511a814f (patch)
treee024231b1724ce5dcfaadb8ada18be6628203834 /pkg/specgen/namespaces.go
parent85f3c2783cb6807032b779bc2827dd79dbcad3e4 (diff)
downloadpodman-5cb27f3c85e517954e81f129deb0e492511a814f.tar.gz
podman-5cb27f3c85e517954e81f129deb0e492511a814f.tar.bz2
podman-5cb27f3c85e517954e81f129deb0e492511a814f.zip
Add container GID to additional groups
Mitigates a potential permissions issue. Mirrors Buildah PR #4200 and CRI-O PR #6159. Signed-off-by: Matthew Heon <mheon@redhat.com>
Diffstat (limited to 'pkg/specgen/namespaces.go')
-rw-r--r--pkg/specgen/namespaces.go2
1 files changed, 2 insertions, 0 deletions
diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go
index 03a2049f6..2578e6163 100644
--- a/pkg/specgen/namespaces.go
+++ b/pkg/specgen/namespaces.go
@@ -497,6 +497,7 @@ func SetupUserNS(idmappings *storage.IDMappingOptions, userns Namespace, g *gene
idmappings = mappings
g.SetProcessUID(uint32(uid))
g.SetProcessGID(uint32(gid))
+ g.AddProcessAdditionalGid(uint32(gid))
user = fmt.Sprintf("%d:%d", uid, gid)
if err := privateUserNamespace(idmappings, g); err != nil {
return user, err
@@ -509,6 +510,7 @@ func SetupUserNS(idmappings *storage.IDMappingOptions, userns Namespace, g *gene
idmappings = mappings
g.SetProcessUID(uint32(uid))
g.SetProcessGID(uint32(gid))
+ g.AddProcessAdditionalGid(uint32(gid))
user = fmt.Sprintf("%d:%d", uid, gid)
if err := privateUserNamespace(idmappings, g); err != nil {
return user, err
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-01-03 22:16:36 +0000