diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2022-01-14 13:08:17 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-14 13:08:17 +0100 |
commit | 482e0b11d988983a777990a931a6d4125117c0f3 (patch) | |
tree | ab748201dbe30e891bb0ef2f8f63c8b64a587056 /pkg/specgen | |
parent | 2c510146aa03c74fb00a15bcf81c62b14df9c7ea (diff) | |
parent | 6996830104afca5926daecc05d9154a0a9eb274d (diff) | |
download | podman-482e0b11d988983a777990a931a6d4125117c0f3.tar.gz podman-482e0b11d988983a777990a931a6d4125117c0f3.tar.bz2 podman-482e0b11d988983a777990a931a6d4125117c0f3.zip |
Merge pull request #12849 from cdoern/podProhibit
Prohibit --uid/gid map and --pod for container create/run
Diffstat (limited to 'pkg/specgen')
-rw-r--r-- | pkg/specgen/generate/namespaces.go | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go index b04cf30f5..760fbe2b9 100644 --- a/pkg/specgen/generate/namespaces.go +++ b/pkg/specgen/generate/namespaces.go @@ -193,8 +193,14 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod. // This wipes the UserNS settings that get set from the infra container // when we are inheritting from the pod. So only apply this if the container // is not being created in a pod. - if s.IDMappings != nil && pod == nil { - toReturn = append(toReturn, libpod.WithIDMappings(*s.IDMappings)) + if s.IDMappings != nil { + if pod == nil { + toReturn = append(toReturn, libpod.WithIDMappings(*s.IDMappings)) + } else { + if pod.HasInfraContainer() && (len(s.IDMappings.UIDMap) > 0 || len(s.IDMappings.GIDMap) > 0) { + return nil, errors.Wrapf(define.ErrInvalidArg, "cannot specify a new uid/gid map when entering a pod with an infra container") + } + } } if s.User != "" { toReturn = append(toReturn, libpod.WithUser(s.User)) |