diff options
| -rw-r--r-- | cmd/podman/containers/run.go | 12 | ||||
| -rw-r--r-- | cmd/podman/images/list.go | 6 | ||||
| -rw-r--r-- | go.mod | 2 | ||||
| -rw-r--r-- | go.sum | 4 | ||||
| -rw-r--r-- | libpod/container_internal_linux.go | 5 | ||||
| -rw-r--r-- | pkg/util/utils_linux.go | 16 | ||||
| -rw-r--r-- | pkg/util/utils_unsupported.go | 5 | ||||
| -rw-r--r-- | vendor/github.com/containers/psgo/SECURITY.md | 3 | ||||
| -rw-r--r-- | vendor/github.com/containers/psgo/psgo.go | 4 | ||||
| -rw-r--r-- | vendor/modules.txt | 2 |
10 files changed, 48 insertions, 11 deletions
diff --git a/cmd/podman/containers/run.go b/cmd/podman/containers/run.go index 890c6e827..8a02c63c0 100644 --- a/cmd/podman/containers/run.go +++ b/cmd/podman/containers/run.go @@ -3,6 +3,7 @@ package containers import ( "fmt" "os" + "strconv" "strings" "github.com/containers/libpod/cmd/podman/common" @@ -10,7 +11,9 @@ import ( "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/pkg/domain/entities" "github.com/containers/libpod/pkg/errorhandling" + "github.com/containers/libpod/pkg/rootless" "github.com/containers/libpod/pkg/specgen" + "github.com/containers/libpod/pkg/util" "github.com/pkg/errors" "github.com/sirupsen/logrus" "github.com/spf13/cobra" @@ -92,6 +95,15 @@ func run(cmd *cobra.Command, args []string) error { return err } + if rootless.IsRootless() && !registry.IsRemote() { + userspec := strings.SplitN(cliVals.User, ":", 2)[0] + if uid, err := strconv.ParseInt(userspec, 10, 32); err == nil { + if err := util.CheckRootlessUIDRange(int(uid)); err != nil { + return err + } + } + } + if af := cliVals.Authfile; len(af) > 0 { if _, err := os.Stat(af); err != nil { return errors.Wrapf(err, "error checking authfile path %s", af) diff --git a/cmd/podman/images/list.go b/cmd/podman/images/list.go index 4f8948b8b..23757104b 100644 --- a/cmd/podman/images/list.go +++ b/cmd/podman/images/list.go @@ -234,11 +234,7 @@ func imageListFormat(flags listFlagType) (string, string) { } hdr += "\tIMAGE ID" - if flags.noTrunc { - row += "\tsha256:{{.ID}}" - } else { - row += "\t{{.ID}}" - } + row += "\t{{.ID}}" hdr += "\tCREATED\tSIZE" row += "\t{{.Created}}\t{{.Size}}" @@ -14,7 +14,7 @@ require ( github.com/containers/common v0.12.0 github.com/containers/conmon v2.0.16+incompatible github.com/containers/image/v5 v5.4.5-0.20200529084758-46b2ee6aebb0 - github.com/containers/psgo v1.5.0 + github.com/containers/psgo v1.5.1 github.com/containers/storage v1.20.1 github.com/coreos/go-systemd/v22 v22.1.0 github.com/cri-o/ocicni v0.2.0 @@ -82,8 +82,8 @@ github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDpl github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY= github.com/containers/ocicrypt v1.0.2 h1:Q0/IPs8ohfbXNxEfyJ2pFVmvJu5BhqJUAmc6ES9NKbo= github.com/containers/ocicrypt v1.0.2/go.mod h1:nsOhbP19flrX6rE7ieGFvBlr7modwmNjsqWarIUce4M= -github.com/containers/psgo v1.5.0 h1:uofUREsrm0Ls5K4tkEIFPqWSHKyg3Bvoqo/Q2eDmj8g= -github.com/containers/psgo v1.5.0/go.mod h1:2ubh0SsreMZjSXW1Hif58JrEcFudQyIy9EzPUWfawVU= +github.com/containers/psgo v1.5.1 h1:MQNb7FLbXqBdqz6u4lI2QWizVz4RSTzs1+Nk9XT1iVA= +github.com/containers/psgo v1.5.1/go.mod h1:2ubh0SsreMZjSXW1Hif58JrEcFudQyIy9EzPUWfawVU= github.com/containers/storage v1.18.2/go.mod h1:WTBMf+a9ZZ/LbmEVeLHH2TX4CikWbO1Bt+/m58ZHVPg= github.com/containers/storage v1.19.1/go.mod h1:KbXjSwKnx17ejOsjFcCXSf78mCgZkQSLPBNTMRc3XrQ= github.com/containers/storage v1.19.2/go.mod h1:gYCp3jzgXkvubO0rI14QAjz5Mxm/qKJgLmHFyqayDnw= diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 2bd6099f0..d08e012a6 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -325,6 +325,11 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { } if c.config.User != "" { + if rootless.IsRootless() { + if err := util.CheckRootlessUIDRange(execUser.Uid); err != nil { + return nil, err + } + } // User and Group must go together g.SetProcessUID(uint32(execUser.Uid)) g.SetProcessGID(uint32(execUser.Gid)) diff --git a/pkg/util/utils_linux.go b/pkg/util/utils_linux.go index 288137ca5..5e4dc4a51 100644 --- a/pkg/util/utils_linux.go +++ b/pkg/util/utils_linux.go @@ -6,6 +6,7 @@ import ( "path/filepath" "syscall" + "github.com/containers/libpod/pkg/rootless" "github.com/containers/psgo" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -52,3 +53,18 @@ func FindDeviceNodes() (map[string]string, error) { return nodes, nil } + +// CheckRootlessUIDRange checks the uid within the rootless container is in the range from /etc/subuid +func CheckRootlessUIDRange(uid int) error { + uids, _, err := rootless.GetConfiguredMappings() + if err != nil { + return err + } + for _, u := range uids { + // add 1 since we also map in the user's own UID + if uid > u.Size+1 { + return errors.Errorf("requested user's UID %d is too large for the rootless user namespace", uid) + } + } + return nil +} diff --git a/pkg/util/utils_unsupported.go b/pkg/util/utils_unsupported.go index 62805d7c8..f8d5a37c1 100644 --- a/pkg/util/utils_unsupported.go +++ b/pkg/util/utils_unsupported.go @@ -10,3 +10,8 @@ import ( func FindDeviceNodes() (map[string]string, error) { return nil, errors.Errorf("not supported on non-Linux OSes") } + +// CheckRootlessUIDRange is not implemented anywhere except Linux. +func CheckRootlessUIDRange(uid int) error { + return nil +} diff --git a/vendor/github.com/containers/psgo/SECURITY.md b/vendor/github.com/containers/psgo/SECURITY.md new file mode 100644 index 000000000..5d5ba254a --- /dev/null +++ b/vendor/github.com/containers/psgo/SECURITY.md @@ -0,0 +1,3 @@ +## Security and Disclosure Information Policy for the psgo Project + +The psgo Project follows the [Security and Disclosure Information Policy](https://github.com/containers/common/blob/master/SECURITY.md) for the Containers Projects. diff --git a/vendor/github.com/containers/psgo/psgo.go b/vendor/github.com/containers/psgo/psgo.go index 57132c94e..c75fc3815 100644 --- a/vendor/github.com/containers/psgo/psgo.go +++ b/vendor/github.com/containers/psgo/psgo.go @@ -847,7 +847,7 @@ func processHPID(p *process.Process, ctx *psContext) (string, error) { func processHUSER(p *process.Process, ctx *psContext) (string, error) { if hp := findHostProcess(p, ctx); hp != nil { if ctx.opts != nil && len(ctx.opts.UIDMap) > 0 { - return findID(p.Status.Uids[1], ctx.opts.UIDMap, process.LookupUID, "/proc/sys/fs/overflowuid") + return findID(hp.Status.Uids[1], ctx.opts.UIDMap, process.LookupUID, "/proc/sys/fs/overflowuid") } return hp.Huser, nil } @@ -860,7 +860,7 @@ func processHUSER(p *process.Process, ctx *psContext) (string, error) { func processHGROUP(p *process.Process, ctx *psContext) (string, error) { if hp := findHostProcess(p, ctx); hp != nil { if ctx.opts != nil && len(ctx.opts.GIDMap) > 0 { - return findID(p.Status.Gids[1], ctx.opts.GIDMap, process.LookupGID, "/proc/sys/fs/overflowgid") + return findID(hp.Status.Gids[1], ctx.opts.GIDMap, process.LookupGID, "/proc/sys/fs/overflowgid") } return hp.Hgroup, nil } diff --git a/vendor/modules.txt b/vendor/modules.txt index 55279502d..b84d9e017 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -146,7 +146,7 @@ github.com/containers/ocicrypt/keywrap/pgp github.com/containers/ocicrypt/keywrap/pkcs7 github.com/containers/ocicrypt/spec github.com/containers/ocicrypt/utils -# github.com/containers/psgo v1.5.0 +# github.com/containers/psgo v1.5.1 github.com/containers/psgo github.com/containers/psgo/internal/capabilities github.com/containers/psgo/internal/cgroups |