aboutsummaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2019-09-03 11:03:58 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2019-09-03 13:46:48 +0200
commitcfe1d2768847929b44ddd10184eff28fd5762c2d (patch)
tree779996dc578612776a8c13c3a9983668eb96738a /pkg
parent099549bd38c2b39fb884c8e9aecdf4e44c90b484 (diff)
downloadpodman-cfe1d2768847929b44ddd10184eff28fd5762c2d.tar.gz
podman-cfe1d2768847929b44ddd10184eff28fd5762c2d.tar.bz2
podman-cfe1d2768847929b44ddd10184eff28fd5762c2d.zip
rootless: detect user namespace configuration changes
detect if the current user namespace doesn't match the configuration in the /etc/subuid and /etc/subgid files. If there is a mismatch, raise a warning and suggest the user to recreate the user namespace with "system migrate", that also restarts the containers. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r--pkg/rootless/rootless_linux.go138
-rw-r--r--pkg/rootless/rootless_unsupported.go6
2 files changed, 124 insertions, 20 deletions
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index 6e48988c5..a78336d7a 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -3,7 +3,9 @@
package rootless
import (
+ "bufio"
"fmt"
+ "io"
"io/ioutil"
"os"
"os/exec"
@@ -106,7 +108,7 @@ func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap)
}
appendTriplet := func(l []string, a, b, c int) []string {
- return append(l, fmt.Sprintf("%d", a), fmt.Sprintf("%d", b), fmt.Sprintf("%d", c))
+ return append(l, strconv.Itoa(a), strconv.Itoa(b), strconv.Itoa(c))
}
args := []string{path, fmt.Sprintf("%d", pid)}
@@ -345,6 +347,31 @@ func joinUserAndMountNS(pid uint, pausePid string) (bool, int, error) {
return true, int(ret), nil
}
+func getConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) {
+ var uids, gids []idtools.IDMap
+ username := os.Getenv("USER")
+ if username == "" {
+ var id string
+ if os.Geteuid() == 0 {
+ id = strconv.Itoa(GetRootlessUID())
+ } else {
+ id = strconv.Itoa(os.Geteuid())
+ }
+ userID, err := user.LookupId(id)
+ if err == nil {
+ username = userID.Username
+ }
+ }
+ mappings, err := idtools.NewIDMappings(username, username)
+ if err != nil {
+ logrus.Warnf("cannot find mappings for user %s: %v", username, err)
+ } else {
+ uids = mappings.UIDs()
+ gids = mappings.GIDs()
+ }
+ return uids, gids, nil
+}
+
func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (bool, int, error) {
if os.Geteuid() == 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" {
if os.Getenv("_CONTAINERS_USERNS_CONFIGURED") == "init" {
@@ -386,25 +413,14 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (bool,
return false, -1, errors.Errorf("cannot re-exec process")
}
- var uids, gids []idtools.IDMap
- username := os.Getenv("USER")
- if username == "" {
- userID, err := user.LookupId(fmt.Sprintf("%d", os.Getuid()))
- if err == nil {
- username = userID.Username
- }
- }
- mappings, err := idtools.NewIDMappings(username, username)
+ uids, gids, err := getConfiguredMappings()
if err != nil {
- logrus.Warnf("cannot find mappings for user %s: %v", username, err)
- } else {
- uids = mappings.UIDs()
- gids = mappings.GIDs()
+ return false, -1, err
}
uidsMapped := false
- if mappings != nil && uids != nil {
- err := tryMappingTool("newuidmap", pid, os.Getuid(), uids)
+ if uids != nil {
+ err := tryMappingTool("newuidmap", pid, os.Geteuid(), uids)
uidsMapped = err == nil
}
if !uidsMapped {
@@ -416,20 +432,20 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (bool,
}
uidMap := fmt.Sprintf("/proc/%d/uid_map", pid)
- err = ioutil.WriteFile(uidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getuid())), 0666)
+ err = ioutil.WriteFile(uidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Geteuid())), 0666)
if err != nil {
return false, -1, errors.Wrapf(err, "cannot write uid_map")
}
}
gidsMapped := false
- if mappings != nil && gids != nil {
- err := tryMappingTool("newgidmap", pid, os.Getgid(), gids)
+ if gids != nil {
+ err := tryMappingTool("newgidmap", pid, os.Getegid(), gids)
gidsMapped = err == nil
}
if !gidsMapped {
gidMap := fmt.Sprintf("/proc/%d/gid_map", pid)
- err = ioutil.WriteFile(gidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getgid())), 0666)
+ err = ioutil.WriteFile(gidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getegid())), 0666)
if err != nil {
return false, -1, errors.Wrapf(err, "cannot write gid_map")
}
@@ -586,3 +602,85 @@ func TryJoinFromFilePaths(pausePidPath string, needNewNamespace bool, paths []st
return joinUserAndMountNS(uint(pausePid), pausePidPath)
}
+func readMappingsProc(path string) ([]idtools.IDMap, error) {
+ file, err := os.Open(path)
+ if err != nil {
+ return nil, errors.Wrapf(err, "cannot open %s", path)
+ }
+ defer file.Close()
+
+ mappings := []idtools.IDMap{}
+
+ buf := bufio.NewReader(file)
+ for {
+ line, _, err := buf.ReadLine()
+ if err != nil {
+ if err == io.EOF {
+ return mappings, nil
+ }
+ return nil, errors.Wrapf(err, "cannot read line from %s", path)
+ }
+ if line == nil {
+ return mappings, nil
+ }
+
+ containerID, hostID, size := 0, 0, 0
+ if _, err := fmt.Sscanf(string(line), "%d %d %d", &containerID, &hostID, &size); err != nil {
+ return nil, errors.Wrapf(err, "cannot parse %s", string(line))
+ }
+ mappings = append(mappings, idtools.IDMap{ContainerID: containerID, HostID: hostID, Size: size})
+ }
+}
+
+func matches(id int, configuredIDs []idtools.IDMap, currentIDs []idtools.IDMap) bool {
+ // The first mapping is the host user, handle it separately.
+ if currentIDs[0].HostID != id || currentIDs[0].Size != 1 {
+ return false
+ }
+
+ currentIDs = currentIDs[1:]
+ if len(currentIDs) != len(configuredIDs) {
+ return false
+ }
+
+ // It is fine to iterate sequentially as both slices are sorted.
+ for i := range currentIDs {
+ if currentIDs[i].HostID != configuredIDs[i].HostID {
+ return false
+ }
+ if currentIDs[i].Size != configuredIDs[i].Size {
+ return false
+ }
+ }
+
+ return true
+}
+
+// ConfigurationMatches checks whether the additional uids/gids configured for the user
+// match the current user namespace.
+func ConfigurationMatches() (bool, error) {
+ if !IsRootless() || os.Geteuid() != 0 {
+ return true, nil
+ }
+
+ uids, gids, err := getConfiguredMappings()
+ if err != nil {
+ return false, err
+ }
+
+ currentUIDs, err := readMappingsProc("/proc/self/uid_map")
+ if err != nil {
+ return false, err
+ }
+
+ if !matches(GetRootlessUID(), uids, currentUIDs) {
+ return false, err
+ }
+
+ currentGIDs, err := readMappingsProc("/proc/self/gid_map")
+ if err != nil {
+ return false, err
+ }
+
+ return matches(GetRootlessGID(), gids, currentGIDs), nil
+}
diff --git a/pkg/rootless/rootless_unsupported.go b/pkg/rootless/rootless_unsupported.go
index a8485c083..16ba228e2 100644
--- a/pkg/rootless/rootless_unsupported.go
+++ b/pkg/rootless/rootless_unsupported.go
@@ -53,3 +53,9 @@ func EnableLinger() (string, error) {
func TryJoinFromFilePaths(pausePidPath string, needNewNamespace bool, paths []string) (bool, int, error) {
return false, -1, errors.New("this function is not supported on this os")
}
+
+// ConfigurationMatches checks whether the additional uids/gids configured for the user
+// match the current user namespace.
+func ConfigurationMatches() (bool, error) {
+ return true, nil
+}