From 6996830104afca5926daecc05d9154a0a9eb274d Mon Sep 17 00:00:00 2001 From: cdoern Date: Thu, 13 Jan 2022 10:43:24 -0500 Subject: Prohibit --uid/gid map and --pod for container create/run add a check in namespaceOptions() that ensures the user is not setting a new uid/gid map if entering or creating a pod that has an infra container resolves #12669 Signed-off-by: cdoern --- pkg/specgen/generate/namespaces.go | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'pkg/specgen/generate') diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go index a2bc37e34..9d4c47cc3 100644 --- a/pkg/specgen/generate/namespaces.go +++ b/pkg/specgen/generate/namespaces.go @@ -193,8 +193,14 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod. // This wipes the UserNS settings that get set from the infra container // when we are inheritting from the pod. So only apply this if the container // is not being created in a pod. - if s.IDMappings != nil && pod == nil { - toReturn = append(toReturn, libpod.WithIDMappings(*s.IDMappings)) + if s.IDMappings != nil { + if pod == nil { + toReturn = append(toReturn, libpod.WithIDMappings(*s.IDMappings)) + } else { + if pod.HasInfraContainer() && (len(s.IDMappings.UIDMap) > 0 || len(s.IDMappings.GIDMap) > 0) { + return nil, errors.Wrapf(define.ErrInvalidArg, "cannot specify a new uid/gid map when entering a pod with an infra container") + } + } } if s.User != "" { toReturn = append(toReturn, libpod.WithUser(s.User)) -- cgit v1.2.3-54-g00ecf