From a609e026a5f58d935a25e558480ed314783062fc Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 12 Dec 2018 11:56:19 +0100 Subject: mount: allow mount only when using vfs when using a driver different than vfs, the mount is probably in a different mount namespace thus not accessible from the host. Avoid the confusion by not allowing mount when a different driver is used. Closes: https://github.com/containers/libpod/issues/1964 Signed-off-by: Giuseppe Scrivano --- cmd/podman/main.go | 1 + cmd/podman/mount.go | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/cmd/podman/main.go b/cmd/podman/main.go index 796b0b03a..2db6c5dec 100644 --- a/cmd/podman/main.go +++ b/cmd/podman/main.go @@ -34,6 +34,7 @@ var cmdsNotRequiringRootless = map[string]bool{ // If this change, please also update libpod.refreshRootless() "login": true, "logout": true, + "mount": true, "kill": true, "pause": true, "restart": true, diff --git a/cmd/podman/mount.go b/cmd/podman/mount.go index 585f506cd..c91115597 100644 --- a/cmd/podman/mount.go +++ b/cmd/podman/mount.go @@ -3,9 +3,11 @@ package main import ( js "encoding/json" "fmt" + "os" of "github.com/containers/libpod/cmd/podman/formats" "github.com/containers/libpod/cmd/podman/libpodruntime" + "github.com/containers/libpod/pkg/rootless" "github.com/pkg/errors" "github.com/sirupsen/logrus" "github.com/urfave/cli" @@ -52,6 +54,9 @@ func mountCmd(c *cli.Context) error { if err := validateFlags(c, mountFlags); err != nil { return err } + if os.Geteuid() != 0 { + rootless.SetSkipStorageSetup(true) + } runtime, err := libpodruntime.GetRuntime(c) if err != nil { @@ -59,6 +64,22 @@ func mountCmd(c *cli.Context) error { } defer runtime.Shutdown(false) + if os.Geteuid() != 0 { + if driver := runtime.GetConfig().StorageConfig.GraphDriverName; driver != "vfs" { + // Do not allow to mount a graphdriver that is not vfs if we are creating the userns as part + // of the mount command. + return fmt.Errorf("cannot mount using driver %s in rootless mode", driver) + } + + became, ret, err := rootless.BecomeRootInUserNS() + if err != nil { + return err + } + if became { + os.Exit(ret) + } + } + formats := map[string]bool{ "": true, of.JSONString: true, -- cgit v1.2.3-54-g00ecf