libpod: intermediate mount if UID not mapped into the userns

if the current user is not mapped into the new user namespace, use an intermediate mount to allow the mount point to be accessible instead of opening up all the parent directories for the mountpoint. Closes: https://github.com/containers/podman/issues/23028 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-10-18 03:33:32 +08:00 · 2024-06-19 23:49:37 +02:00
parent 08a8429459
commit 49eb5af301
5 changed files with 145 additions and 47 deletions
--- a/libpod/container_internal_common.go
+++ b/libpod/container_internal_common.go
@ -565,7 +565,11 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
 		return nil, nil, err
 	}

-	g.SetRootPath(c.state.Mountpoint)
+	rootPath, err := c.getRootPathForOCI()
+	if err != nil {
+		return nil, nil, err
+	}
+	g.SetRootPath(rootPath)
 	g.AddAnnotation("org.opencontainers.image.stopSignal", strconv.FormatUint(uint64(c.config.StopSignal), 10))

 	if _, exists := g.Config.Annotations[annotations.ContainerManager]; !exists {