diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2018-12-21 06:09:45 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-12-21 06:09:45 -0800 |
commit | faa7ff3568a6cdc52caa99dfa88b656818574fdc (patch) | |
tree | 7d1e1382bc74cf4bdbac3b5b60b3a70bd84fd68e /pkg | |
parent | 28e30408b6f6088545421e0cfb8ca3e05d1cdc06 (diff) | |
parent | 0ed55f75abac1311b61a17079ae9314ec5459bfd (diff) | |
download | podman-faa7ff3568a6cdc52caa99dfa88b656818574fdc.tar.gz podman-faa7ff3568a6cdc52caa99dfa88b656818574fdc.tar.bz2 podman-faa7ff3568a6cdc52caa99dfa88b656818574fdc.zip |
Merge pull request #2028 from giuseppe/fix-rootless-export
rootless: fix export when using fuse-overlayfs
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/rootless/rootless_linux.c | 9 | ||||
-rw-r--r-- | pkg/rootless/rootless_linux.go | 39 |
2 files changed, 44 insertions, 4 deletions
diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c index 9eb16c1a5..1d28ff68d 100644 --- a/pkg/rootless/rootless_linux.c +++ b/pkg/rootless/rootless_linux.c @@ -99,7 +99,7 @@ get_cmd_line_args (pid_t pid) } int -reexec_userns_join (int userns) +reexec_userns_join (int userns, int mountns) { pid_t ppid = getpid (); char uid[16]; @@ -131,6 +131,13 @@ reexec_userns_join (int userns) } close (userns); + if (mountns >= 0 && setns (mountns, 0) < 0) + { + fprintf (stderr, "cannot setns: %s\n", strerror (errno)); + _exit (EXIT_FAILURE); + } + close (userns); + if (syscall_setresgid (0, 0, 0) < 0) { fprintf (stderr, "cannot setresgid: %s\n", strerror (errno)); diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index 07002da3f..9a192c0fa 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -25,7 +25,7 @@ import ( /* extern int reexec_in_user_namespace(int ready); extern int reexec_in_user_namespace_wait(int pid); -extern int reexec_userns_join(int userns); +extern int reexec_userns_join(int userns, int mountns); */ import "C" @@ -112,7 +112,40 @@ func JoinNS(pid uint) (bool, int, error) { } defer userNS.Close() - pidC := C.reexec_userns_join(C.int(userNS.Fd())) + pidC := C.reexec_userns_join(C.int(userNS.Fd()), -1) + if int(pidC) < 0 { + return false, -1, errors.Errorf("cannot re-exec process") + } + + ret := C.reexec_in_user_namespace_wait(pidC) + if ret < 0 { + return false, -1, errors.New("error waiting for the re-exec process") + } + + return true, int(ret), nil +} + +// JoinDirectUserAndMountNS re-exec podman in a new userNS and join the user and mount +// namespace of the specified PID without looking up its parent. Useful to join directly +// the conmon process. +func JoinDirectUserAndMountNS(pid uint) (bool, int, error) { + if os.Geteuid() == 0 || os.Getenv("_LIBPOD_USERNS_CONFIGURED") != "" { + return false, -1, nil + } + + userNS, err := os.Open(fmt.Sprintf("/proc/%d/ns/user", pid)) + if err != nil { + return false, -1, err + } + defer userNS.Close() + + mountNS, err := os.Open(fmt.Sprintf("/proc/%d/ns/mnt", pid)) + if err != nil { + return false, -1, err + } + defer userNS.Close() + + pidC := C.reexec_userns_join(C.int(userNS.Fd()), C.int(mountNS.Fd())) if int(pidC) < 0 { return false, -1, errors.Errorf("cannot re-exec process") } @@ -138,7 +171,7 @@ func JoinNSPath(path string) (bool, int, error) { } defer userNS.Close() - pidC := C.reexec_userns_join(C.int(userNS.Fd())) + pidC := C.reexec_userns_join(C.int(userNS.Fd()), -1) if int(pidC) < 0 { return false, -1, errors.Errorf("cannot re-exec process") } |