opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-24 19:42:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1923 from giuseppe/rootless-no-newuidmap-installed

Browse Source 
rootless: raise error if newuidmap/newgidmap are not installed
This commit is contained in:
OpenShift Merge Robot
2018-12-03 09:25:36 -08:00
committed by GitHub
parent 5bb66a47a4 727b6a78ee
commit 03aafff4ef
1 changed files with 20 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
pkg/rootless/rootless_linux.go
View File

@ -74,7 +74,7 @@ func GetRootlessUID() int {
func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap) error { func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap) error {
path, err := exec.LookPath(tool) path, err := exec.LookPath(tool)
if err != nil { if err != nil {
return err return errors.Wrapf(err, "cannot find %s", tool)
} }
appendTriplet := func(l []string, a, b, c int) []string { appendTriplet := func(l []string, a, b, c int) []string {
@ -92,7 +92,11 @@ func tryMappingTool(tool string, pid int, hostID int, mappings []idtools.IDMap)
Path: path, Path: path,
Args: args, Args: args,
} }
return cmd.Run()
if err := cmd.Run(); err != nil {
return errors.Wrapf(err, "cannot setup namespace using %s", tool)
}
return nil
} }
// JoinNS re-exec podman in a new userNS and join the user namespace of the specified // JoinNS re-exec podman in a new userNS and join the user namespace of the specified
@ -191,11 +195,13 @@ func BecomeRootInUserNS() (bool, int, error) {
return false, -1, errors.Errorf("cannot re-exec process") return false, -1, errors.Errorf("cannot re-exec process")
} }
allowSingleIDMapping := os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") != ""
var uids, gids []idtools.IDMap var uids, gids []idtools.IDMap
username := os.Getenv("USER") username := os.Getenv("USER")
if username == "" { if username == "" {
user, err := user.LookupId(fmt.Sprintf("%d", os.Getuid())) user, err := user.LookupId(fmt.Sprintf("%d", os.Getuid()))
if err != nil && os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") == "" { if err != nil && !allowSingleIDMapping {
if os.IsNotExist(err) { if os.IsNotExist(err) {
return false, 0, errors.Wrapf(err, "/etc/subuid or /etc/subgid does not exist, see subuid/subgid man pages for information on these files") return false, 0, errors.Wrapf(err, "/etc/subuid or /etc/subgid does not exist, see subuid/subgid man pages for information on these files")
} }
@ -206,7 +212,7 @@ func BecomeRootInUserNS() (bool, int, error) {
} }
} }
mappings, err := idtools.NewIDMappings(username, username) mappings, err := idtools.NewIDMappings(username, username)
if os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") == "" { if !allowSingleIDMapping {
if err != nil { if err != nil {
return false, -1, err return false, -1, err
} }
@ -236,7 +242,11 @@ func BecomeRootInUserNS() (bool, int, error) {
uidsMapped := false uidsMapped := false
if mappings != nil && uids != nil { if mappings != nil && uids != nil {
uidsMapped = tryMappingTool("newuidmap", pid, os.Getuid(), uids) == nil err := tryMappingTool("newuidmap", pid, os.Getuid(), uids)
if !allowSingleIDMapping && err != nil {
return false, 0, err
}
uidsMapped = err == nil
} }
if !uidsMapped { if !uidsMapped {
setgroups := fmt.Sprintf("/proc/%d/setgroups", pid) setgroups := fmt.Sprintf("/proc/%d/setgroups", pid)
@ -254,7 +264,11 @@ func BecomeRootInUserNS() (bool, int, error) {
gidsMapped := false gidsMapped := false
if mappings != nil && gids != nil { if mappings != nil && gids != nil {
gidsMapped = tryMappingTool("newgidmap", pid, os.Getgid(), gids) == nil err := tryMappingTool("newgidmap", pid, os.Getgid(), gids)
if !allowSingleIDMapping && err != nil {
return false, 0, err
}
gidsMapped = err == nil
} }
if !gidsMapped { if !gidsMapped {
gidMap := fmt.Sprintf("/proc/%d/gid_map", pid) gidMap := fmt.Sprintf("/proc/%d/gid_map", pid)