diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-09-03 11:03:58 +0200 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-09-03 13:46:48 +0200 |
commit | cfe1d2768847929b44ddd10184eff28fd5762c2d (patch) | |
tree | 779996dc578612776a8c13c3a9983668eb96738a /pkg | |
parent | 099549bd38c2b39fb884c8e9aecdf4e44c90b484 (diff) | |
download | podman-cfe1d2768847929b44ddd10184eff28fd5762c2d.tar.gz podman-cfe1d2768847929b44ddd10184eff28fd5762c2d.tar.bz2 podman-cfe1d2768847929b44ddd10184eff28fd5762c2d.zip |
rootless: detect user namespace configuration changes
detect if the current user namespace doesn't match the configuration
in the /etc/subuid and /etc/subgid files.
If there is a mismatch, raise a warning and suggest the user to
recreate the user namespace with "system migrate", that also restarts
the containers.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/rootless/rootless_linux.go | 138 | ||||
-rw-r--r-- | pkg/rootless/rootless_unsupported.go | 6 |
2 files changed, 124 insertions, 20 deletions
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index 6e48988c5..a78336d7a 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -3,7 +3,9 @@ package rootless import ( + "bufio" "fmt" + "io" "io/ioutil" "os" "os/exec" @@ -106,7 +108,7 @@ func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap) } appendTriplet := func(l []string, a, b, c int) []string { - return append(l, fmt.Sprintf("%d", a), fmt.Sprintf("%d", b), fmt.Sprintf("%d", c)) + return append(l, strconv.Itoa(a), strconv.Itoa(b), strconv.Itoa(c)) } args := []string{path, fmt.Sprintf("%d", pid)} @@ -345,6 +347,31 @@ func joinUserAndMountNS(pid uint, pausePid string) (bool, int, error) { return true, int(ret), nil } +func getConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) { + var uids, gids []idtools.IDMap + username := os.Getenv("USER") + if username == "" { + var id string + if os.Geteuid() == 0 { + id = strconv.Itoa(GetRootlessUID()) + } else { + id = strconv.Itoa(os.Geteuid()) + } + userID, err := user.LookupId(id) + if err == nil { + username = userID.Username + } + } + mappings, err := idtools.NewIDMappings(username, username) + if err != nil { + logrus.Warnf("cannot find mappings for user %s: %v", username, err) + } else { + uids = mappings.UIDs() + gids = mappings.GIDs() + } + return uids, gids, nil +} + func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (bool, int, error) { if os.Geteuid() == 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" { if os.Getenv("_CONTAINERS_USERNS_CONFIGURED") == "init" { @@ -386,25 +413,14 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (bool, return false, -1, errors.Errorf("cannot re-exec process") } - var uids, gids []idtools.IDMap - username := os.Getenv("USER") - if username == "" { - userID, err := user.LookupId(fmt.Sprintf("%d", os.Getuid())) - if err == nil { - username = userID.Username - } - } - mappings, err := idtools.NewIDMappings(username, username) + uids, gids, err := getConfiguredMappings() if err != nil { - logrus.Warnf("cannot find mappings for user %s: %v", username, err) - } else { - uids = mappings.UIDs() - gids = mappings.GIDs() + return false, -1, err } uidsMapped := false - if mappings != nil && uids != nil { - err := tryMappingTool("newuidmap", pid, os.Getuid(), uids) + if uids != nil { + err := tryMappingTool("newuidmap", pid, os.Geteuid(), uids) uidsMapped = err == nil } if !uidsMapped { @@ -416,20 +432,20 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (bool, } uidMap := fmt.Sprintf("/proc/%d/uid_map", pid) - err = ioutil.WriteFile(uidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getuid())), 0666) + err = ioutil.WriteFile(uidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Geteuid())), 0666) if err != nil { return false, -1, errors.Wrapf(err, "cannot write uid_map") } } gidsMapped := false - if mappings != nil && gids != nil { - err := tryMappingTool("newgidmap", pid, os.Getgid(), gids) + if gids != nil { + err := tryMappingTool("newgidmap", pid, os.Getegid(), gids) gidsMapped = err == nil } if !gidsMapped { gidMap := fmt.Sprintf("/proc/%d/gid_map", pid) - err = ioutil.WriteFile(gidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getgid())), 0666) + err = ioutil.WriteFile(gidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getegid())), 0666) if err != nil { return false, -1, errors.Wrapf(err, "cannot write gid_map") } @@ -586,3 +602,85 @@ func TryJoinFromFilePaths(pausePidPath string, needNewNamespace bool, paths []st return joinUserAndMountNS(uint(pausePid), pausePidPath) } +func readMappingsProc(path string) ([]idtools.IDMap, error) { + file, err := os.Open(path) + if err != nil { + return nil, errors.Wrapf(err, "cannot open %s", path) + } + defer file.Close() + + mappings := []idtools.IDMap{} + + buf := bufio.NewReader(file) + for { + line, _, err := buf.ReadLine() + if err != nil { + if err == io.EOF { + return mappings, nil + } + return nil, errors.Wrapf(err, "cannot read line from %s", path) + } + if line == nil { + return mappings, nil + } + + containerID, hostID, size := 0, 0, 0 + if _, err := fmt.Sscanf(string(line), "%d %d %d", &containerID, &hostID, &size); err != nil { + return nil, errors.Wrapf(err, "cannot parse %s", string(line)) + } + mappings = append(mappings, idtools.IDMap{ContainerID: containerID, HostID: hostID, Size: size}) + } +} + +func matches(id int, configuredIDs []idtools.IDMap, currentIDs []idtools.IDMap) bool { + // The first mapping is the host user, handle it separately. + if currentIDs[0].HostID != id || currentIDs[0].Size != 1 { + return false + } + + currentIDs = currentIDs[1:] + if len(currentIDs) != len(configuredIDs) { + return false + } + + // It is fine to iterate sequentially as both slices are sorted. + for i := range currentIDs { + if currentIDs[i].HostID != configuredIDs[i].HostID { + return false + } + if currentIDs[i].Size != configuredIDs[i].Size { + return false + } + } + + return true +} + +// ConfigurationMatches checks whether the additional uids/gids configured for the user +// match the current user namespace. +func ConfigurationMatches() (bool, error) { + if !IsRootless() || os.Geteuid() != 0 { + return true, nil + } + + uids, gids, err := getConfiguredMappings() + if err != nil { + return false, err + } + + currentUIDs, err := readMappingsProc("/proc/self/uid_map") + if err != nil { + return false, err + } + + if !matches(GetRootlessUID(), uids, currentUIDs) { + return false, err + } + + currentGIDs, err := readMappingsProc("/proc/self/gid_map") + if err != nil { + return false, err + } + + return matches(GetRootlessGID(), gids, currentGIDs), nil +} diff --git a/pkg/rootless/rootless_unsupported.go b/pkg/rootless/rootless_unsupported.go index a8485c083..16ba228e2 100644 --- a/pkg/rootless/rootless_unsupported.go +++ b/pkg/rootless/rootless_unsupported.go @@ -53,3 +53,9 @@ func EnableLinger() (string, error) { func TryJoinFromFilePaths(pausePidPath string, needNewNamespace bool, paths []string) (bool, int, error) { return false, -1, errors.New("this function is not supported on this os") } + +// ConfigurationMatches checks whether the additional uids/gids configured for the user +// match the current user namespace. +func ConfigurationMatches() (bool, error) { + return true, nil +} |