diff options
author | Qi Wang <qiwan@redhat.com> | 2020-05-29 17:39:42 -0400 |
---|---|---|
committer | Qi Wang <qiwan@redhat.com> | 2020-06-02 11:28:58 -0400 |
commit | 77e4b077b9d8989b1300689103a5489bd1ad9a8b (patch) | |
tree | 7f40976b06093fa7969a7cdcf19fb4365e45647c /pkg | |
parent | f559cec6c0d1694cca9530004aaba3c138f621e3 (diff) | |
download | podman-77e4b077b9d8989b1300689103a5489bd1ad9a8b.tar.gz podman-77e4b077b9d8989b1300689103a5489bd1ad9a8b.tar.bz2 podman-77e4b077b9d8989b1300689103a5489bd1ad9a8b.zip |
check --user range for rootless containers
Check --user range if it's a uid for rootless containers. Returns error if it is out of the range. From https://github.com/containers/libpod/issues/6431#issuecomment-636124686
Signed-off-by: Qi Wang <qiwan@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/util/utils_linux.go | 16 | ||||
-rw-r--r-- | pkg/util/utils_unsupported.go | 5 |
2 files changed, 21 insertions, 0 deletions
diff --git a/pkg/util/utils_linux.go b/pkg/util/utils_linux.go index 288137ca5..5e4dc4a51 100644 --- a/pkg/util/utils_linux.go +++ b/pkg/util/utils_linux.go @@ -6,6 +6,7 @@ import ( "path/filepath" "syscall" + "github.com/containers/libpod/pkg/rootless" "github.com/containers/psgo" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -52,3 +53,18 @@ func FindDeviceNodes() (map[string]string, error) { return nodes, nil } + +// CheckRootlessUIDRange checks the uid within the rootless container is in the range from /etc/subuid +func CheckRootlessUIDRange(uid int) error { + uids, _, err := rootless.GetConfiguredMappings() + if err != nil { + return err + } + for _, u := range uids { + // add 1 since we also map in the user's own UID + if uid > u.Size+1 { + return errors.Errorf("requested user's UID %d is too large for the rootless user namespace", uid) + } + } + return nil +} diff --git a/pkg/util/utils_unsupported.go b/pkg/util/utils_unsupported.go index 62805d7c8..f8d5a37c1 100644 --- a/pkg/util/utils_unsupported.go +++ b/pkg/util/utils_unsupported.go @@ -10,3 +10,8 @@ import ( func FindDeviceNodes() (map[string]string, error) { return nil, errors.Errorf("not supported on non-Linux OSes") } + +// CheckRootlessUIDRange is not implemented anywhere except Linux. +func CheckRootlessUIDRange(uid int) error { + return nil +} |