From 77e4b077b9d8989b1300689103a5489bd1ad9a8b Mon Sep 17 00:00:00 2001
From: Qi Wang <qiwan@redhat.com>
Date: Fri, 29 May 2020 17:39:42 -0400
Subject: check --user range for rootless containers

Check --user range if it's a uid for rootless containers. Returns error if it is out of the range. From https://github.com/containers/libpod/issues/6431#issuecomment-636124686

Signed-off-by: Qi Wang <qiwan@redhat.com>
---
 libpod/container_internal_linux.go | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'libpod')

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 2bd6099f0..d08e012a6 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -325,6 +325,11 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 	}
 
 	if c.config.User != "" {
+		if rootless.IsRootless() {
+			if err := util.CheckRootlessUIDRange(execUser.Uid); err != nil {
+				return nil, err
+			}
+		}
 		// User and Group must go together
 		g.SetProcessUID(uint32(execUser.Uid))
 		g.SetProcessGID(uint32(execUser.Gid))
-- 
cgit v1.2.3-54-g00ecf