Merge pull request #6435 from QiWang19/uid

check --user range for rootless containers

2 files changed, 21 insertions, 0 deletions

diff --git a/pkg/util/utils_linux.go b/pkg/util/utils_linux.go
index 288137ca5..5e4dc4a51 100644
--- a/pkg/util/utils_linux.go
+++ b/pkg/util/utils_linux.go
@@ -6,6 +6,7 @@ import (
 	"path/filepath"
 	"syscall"
 
+	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/psgo"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -52,3 +53,18 @@ func FindDeviceNodes() (map[string]string, error) {
 
 	return nodes, nil
 }
+
+// CheckRootlessUIDRange checks the uid within the rootless container is in the range from /etc/subuid
+func CheckRootlessUIDRange(uid int) error {
+	uids, _, err := rootless.GetConfiguredMappings()
+	if err != nil {
+		return err
+	}
+	for _, u := range uids {
+		// add 1 since we also map in the user's own UID
+		if uid > u.Size+1 {
+			return errors.Errorf("requested user's UID %d is too large for the rootless user namespace", uid)
+		}
+	}
+	return nil
+}
diff --git a/pkg/util/utils_unsupported.go b/pkg/util/utils_unsupported.go
index 62805d7c8..f8d5a37c1 100644
--- a/pkg/util/utils_unsupported.go
+++ b/pkg/util/utils_unsupported.go
@@ -10,3 +10,8 @@ import (
 func FindDeviceNodes() (map[string]string, error) {
 	return nil, errors.Errorf("not supported on non-Linux OSes")
 }
+
+// CheckRootlessUIDRange is not implemented anywhere except Linux.
+func CheckRootlessUIDRange(uid int) error {
+	return nil
+}