opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-22 01:48:54 +08:00
Code Issues Packages Projects Releases Wiki Activity

system: enhance check for re-exec into rootless userns

Browse Source 
Previously, the setup only checked for the CAP_SYS_ADMIN capability,
which could be not enough with containerized Podman where
CAP_SYS_ADMIN might be set for an unprivileged user.

Closes: https://github.com/containers/podman/issues/20766

[NO NEW TESTS NEEDED] needs containerized Podman

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano
2023-11-24 13:19:56 +01:00
parent 6c29a870f7
commit 41a6b992aa
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/domain/infra/abi/system.go
View File

@ -88,7 +88,8 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool)
if err != nil { if err != nil {
return err return err
} }
if hasCapSysAdmin { // check for both euid == 0 and CAP_SYS_ADMIN because we may be running in a container with CAP_SYS_ADMIN set.
if os.Geteuid() == 0 && hasCapSysAdmin {
ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup() ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup()
if err != nil { if err != nil {
logrus.Infof("Failed to detect the owner for the current cgroup: %v", err) logrus.Infof("Failed to detect the owner for the current cgroup: %v", err)