From 39341f283c8e99d15a9dd24745ac1a4be9a054e8 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Sun, 30 Jul 2023 08:26:27 -0400
Subject: [PATCH] Set default userns from containers.conf file

Fixed: https://github.com/containers/podman/issues/19432

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 pkg/specgenutil/specgen.go   | 77 +++++++++++++++++++-----------------
 test/system/160-volumes.bats | 24 +++++++++--
 2 files changed, 61 insertions(+), 40 deletions(-)

diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go
index 71ec3a122f..9167f80321 100644
--- a/pkg/specgenutil/specgen.go
+++ b/pkg/specgenutil/specgen.go
@@ -193,7 +193,7 @@ func getMemoryLimits(c *entities.ContainerCreateOptions) (*specs.LinuxMemory, er
 	return memory, nil
 }
 
-func setNamespaces(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions) error {
+func setNamespaces(rtc *config.Config, s *specgen.SpecGenerator, c *entities.ContainerCreateOptions) error {
 	var err error
 
 	if c.PID != "" {
@@ -222,7 +222,11 @@ func setNamespaces(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions)
 	}
 	userns := c.UserNS
 	if userns == "" && c.Pod == "" {
-		userns = os.Getenv("PODMAN_USERNS")
+		if ns, ok := os.LookupEnv("PODMAN_USERNS"); ok {
+			userns = ns
+		} else {
+			userns = rtc.Containers.UserNS
+		}
 	}
 	// userns must be treated differently
 	if userns != "" {
@@ -234,6 +238,40 @@ func setNamespaces(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions)
 	if c.Net != nil {
 		s.NetNS = c.Net.Network
 	}
+
+	if s.IDMappings == nil {
+		userNS := namespaces.UsernsMode(s.UserNS.NSMode)
+		tempIDMap, err := util.ParseIDMapping(namespaces.UsernsMode(userns), []string{}, []string{}, "", "")
+		if err != nil {
+			return err
+		}
+		s.IDMappings, err = util.ParseIDMapping(userNS, c.UIDMap, c.GIDMap, c.SubUIDName, c.SubGIDName)
+		if err != nil {
+			return err
+		}
+		if len(s.IDMappings.GIDMap) == 0 {
+			s.IDMappings.AutoUserNsOpts.AdditionalGIDMappings = tempIDMap.AutoUserNsOpts.AdditionalGIDMappings
+			if s.UserNS.NSMode == specgen.NamespaceMode("auto") {
+				s.IDMappings.AutoUserNs = true
+			}
+		}
+		if len(s.IDMappings.UIDMap) == 0 {
+			s.IDMappings.AutoUserNsOpts.AdditionalUIDMappings = tempIDMap.AutoUserNsOpts.AdditionalUIDMappings
+			if s.UserNS.NSMode == specgen.NamespaceMode("auto") {
+				s.IDMappings.AutoUserNs = true
+			}
+		}
+		if tempIDMap.AutoUserNsOpts.Size != 0 {
+			s.IDMappings.AutoUserNsOpts.Size = tempIDMap.AutoUserNsOpts.Size
+		}
+		// If some mappings are specified, assume a private user namespace
+		if userNS.IsDefaultValue() && (!s.IDMappings.HostUIDMapping || !s.IDMappings.HostGIDMapping) {
+			s.UserNS.NSMode = specgen.Private
+		} else {
+			s.UserNS.NSMode = specgen.NamespaceMode(userNS)
+		}
+	}
+
 	return nil
 }
 
@@ -320,43 +358,10 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
 		s.StartupHealthConfig.Successes = int(c.StartupHCSuccesses)
 	}
 
-	if err := setNamespaces(s, c); err != nil {
+	if err := setNamespaces(rtc, s, c); err != nil {
 		return err
 	}
 
-	if s.IDMappings == nil {
-		userNS := namespaces.UsernsMode(s.UserNS.NSMode)
-		tempIDMap, err := util.ParseIDMapping(namespaces.UsernsMode(c.UserNS), []string{}, []string{}, "", "")
-		if err != nil {
-			return err
-		}
-		s.IDMappings, err = util.ParseIDMapping(userNS, c.UIDMap, c.GIDMap, c.SubUIDName, c.SubGIDName)
-		if err != nil {
-			return err
-		}
-		if len(s.IDMappings.GIDMap) == 0 {
-			s.IDMappings.AutoUserNsOpts.AdditionalGIDMappings = tempIDMap.AutoUserNsOpts.AdditionalGIDMappings
-			if s.UserNS.NSMode == specgen.NamespaceMode("auto") {
-				s.IDMappings.AutoUserNs = true
-			}
-		}
-		if len(s.IDMappings.UIDMap) == 0 {
-			s.IDMappings.AutoUserNsOpts.AdditionalUIDMappings = tempIDMap.AutoUserNsOpts.AdditionalUIDMappings
-			if s.UserNS.NSMode == specgen.NamespaceMode("auto") {
-				s.IDMappings.AutoUserNs = true
-			}
-		}
-		if tempIDMap.AutoUserNsOpts.Size != 0 {
-			s.IDMappings.AutoUserNsOpts.Size = tempIDMap.AutoUserNsOpts.Size
-		}
-		// If some mappings are specified, assume a private user namespace
-		if userNS.IsDefaultValue() && (!s.IDMappings.HostUIDMapping || !s.IDMappings.HostGIDMapping) {
-			s.UserNS.NSMode = specgen.Private
-		} else {
-			s.UserNS.NSMode = specgen.NamespaceMode(userNS)
-		}
-	}
-
 	if !s.Terminal {
 		s.Terminal = c.TTY
 	}
diff --git a/test/system/160-volumes.bats b/test/system/160-volumes.bats
index 650ab5a5d7..5c97dc89b8 100644
--- a/test/system/160-volumes.bats
+++ b/test/system/160-volumes.bats
@@ -327,15 +327,31 @@ EOF
     mkdir $myvoldir
     touch $myvoldir/myfile
 
+    containersconf=${PODMAN_TMPDIR}/containers.conf
+    cat >$containersconf <<EOF
+[containers]
+userns="keep-id"
+EOF
+
     # With keep-id
     run_podman run --rm -v $myvoldir:/vol:z --userns=keep-id $IMAGE \
-               stat -c "%u:%s" /vol/myfile
-    is "$output" "$(id -u):0" "with keep-id: stat(file in container) == my uid"
+               stat -c "%u:%g:%s" /vol/myfile
+    is "$output" "$(id -u):$(id -g):0" "with keep-id: stat(file in container) == my uid"
 
     # Without
     run_podman run --rm -v $myvoldir:/vol:z $IMAGE \
-               stat -c "%u:%s" /vol/myfile
-    is "$output" "0:0" "w/o keep-id: stat(file in container) == root"
+               stat -c "%u:%g:%s" /vol/myfile
+    is "$output" "0:0:0" "w/o keep-id: stat(file in container) == root"
+
+    # With keep-id from containers.conf
+    CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm -v $myvoldir:/vol:z $IMAGE \
+               stat -c "%u:%g:%s" /vol/myfile
+    is "$output" "$(id -u):$(id -g):0" "with keep-id from containers.conf: stat(file in container) == my uid"
+
+    # With keep-id from containers.conf overriden with --userns=nomap
+    CONTAINERS_CONF_OVERRIDE="$containersconf" run_podman run --rm -v $myvoldir:/vol:z --userns=nomap $IMAGE \
+               stat -c "%u:%g:%s" /vol/myfile
+    is "$output" "65534:65534:0" "w/o overridden containers.conf keep-id->nomap: stat(file in container) == root"
 }