Add support for --userns=nomap

From a security point of view, it would be nice to be able to map a rootless usernamespace that does not use your own UID within the container. This would add protection against a hostile process escapping the container and reading content in your homedir. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
author: Daniel J Walsh <dwalsh@redhat.com> 2022-04-13 14:06:05 -0400
committer: Daniel J Walsh <dwalsh@redhat.com> 2022-04-21 15:29:04 -0400
commit: 80c0fceb24b70a85f3f2ca8be29f4a131c0881d4 (patch)
tree: f7ceffaaf30f4b8057638db446b5512fbbe27318 /test/system/075-exec.bats
parent: 121dde6234ddfcaf11abea03449bfd2a11da90a5 (diff)
download: podman-80c0fceb24b70a85f3f2ca8be29f4a131c0881d4.tar.gz
podman-80c0fceb24b70a85f3f2ca8be29f4a131c0881d4.tar.bz2
podman-80c0fceb24b70a85f3f2ca8be29f4a131c0881d4.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/test/system/075-exec.bats b/test/system/075-exec.bats
index 42954e5ec..0a6048b7e 100644
--- a/test/system/075-exec.bats
+++ b/test/system/075-exec.bats
@@ -87,6 +87,7 @@ load helpers
 
 # #6829 : add username to /etc/passwd inside container if --userns=keep-id
 @test "podman exec - with keep-id" {
+    skip_if_not_rootless "--userns=keep-id only works in rootless mode"
     # Multiple --userns options confirm command-line override (last one wins)
     run_podman run -d --userns=private --userns=keep-id $IMAGE sh -c \
                "echo READY;while [ ! -f /tmp/stop ]; do sleep 1; done"
author	Daniel J Walsh <dwalsh@redhat.com>	2022-04-13 14:06:05 -0400
committer	Daniel J Walsh <dwalsh@redhat.com>	2022-04-21 15:29:04 -0400
commit	80c0fceb24b70a85f3f2ca8be29f4a131c0881d4 (patch)
tree	f7ceffaaf30f4b8057638db446b5512fbbe27318 /test/system/075-exec.bats
parent	121dde6234ddfcaf11abea03449bfd2a11da90a5 (diff)
download	podman-80c0fceb24b70a85f3f2ca8be29f4a131c0881d4.tar.gz podman-80c0fceb24b70a85f3f2ca8be29f4a131c0881d4.tar.bz2 podman-80c0fceb24b70a85f3f2ca8be29f4a131c0881d4.zip