From a389eab8d116f406aba6a4fd1dd5a545e536e88b Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Wed, 10 Jun 2020 14:45:11 +0200
Subject: container: make resolv.conf and hosts accessible in userns

when running in a new userns, make sure the resolv.conf and hosts
files bind mounted from another container are accessible to root in
the userns.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 libpod/container_internal_linux.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index d08e012a6..e0cd39ee5 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -1171,6 +1171,15 @@ func (c *Container) makeBindMounts() error {
 				// finally, save it in the new container
 				c.state.BindMounts["/etc/hosts"] = hostsPath
 			}
+
+			if !hasCurrentUserMapped(c) {
+				if err := makeAccessible(resolvPath, c.RootUID(), c.RootGID()); err != nil {
+					return err
+				}
+				if err := makeAccessible(hostsPath, c.RootUID(), c.RootGID()); err != nil {
+					return err
+				}
+			}
 		} else {
 			if !c.config.UseImageResolvConf {
 				newResolv, err := c.generateResolvConf()
-- 
cgit v1.2.3-54-g00ecf


From 6c27e27b8c263696c78d540a87918c6482507310 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Wed, 10 Jun 2020 14:52:08 +0200
Subject: container: do not set hostname when joining uts

do not set the hostname when joining an UTS namespace, as it could be
owned by a different userns.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 libpod/container_internal_linux.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index e0cd39ee5..e3ca3f6b2 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -392,7 +392,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 	}
 
 	for _, i := range c.config.Spec.Linux.Namespaces {
-		if i.Type == spec.UTSNamespace {
+		if i.Type == spec.UTSNamespace && i.Path == "" {
 			hostname := c.Hostname()
 			g.SetHostname(hostname)
 			g.AddProcessEnv("HOSTNAME", hostname)
@@ -591,7 +591,8 @@ func (c *Container) addNamespaceContainer(g *generate.Generator, ns LinuxNS, ctr
 
 	if specNS == spec.UTSNamespace {
 		hostname := nsCtr.Hostname()
-		g.SetHostname(hostname)
+		// Joining an existing namespace, cannot set the hostname
+		g.SetHostname("")
 		g.AddProcessEnv("HOSTNAME", hostname)
 	}
 
-- 
cgit v1.2.3-54-g00ecf