From da04469f0685940d2ea555f5073c1bde381233d4 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Thu, 2 Mar 2023 22:14:16 +0100
Subject: [PATCH 1/3] cmd: clarify meaning of ParentNSRequired

there are no commands that are not supported by rootless mode, but
some commands require to run in the user namespace.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 cmd/podman/main.go            | 7 -------
 cmd/podman/registry/config.go | 2 +-
 2 files changed, 1 insertion(+), 8 deletions(-)

diff --git a/cmd/podman/main.go b/cmd/podman/main.go
index a820967f93..14b30d47a3 100644
--- a/cmd/podman/main.go
+++ b/cmd/podman/main.go
@@ -81,13 +81,6 @@ func parseCommands() *cobra.Command {
 					return fmt.Errorf("cannot run command %q in rootless mode, must execute `podman unshare` first", cmd.CommandPath())
 				}
 			}
-		} else {
-			_, found = c.Command.Annotations[registry.ParentNSRequired]
-			if rootless.IsRootless() && found && c.Command.Name() != "scp" {
-				c.Command.RunE = func(cmd *cobra.Command, args []string) error {
-					return fmt.Errorf("cannot run command %q in rootless mode", cmd.CommandPath())
-				}
-			}
 		}
 		addCommand(c)
 	}
diff --git a/cmd/podman/registry/config.go b/cmd/podman/registry/config.go
index 3e5920c098..21988b421e 100644
--- a/cmd/podman/registry/config.go
+++ b/cmd/podman/registry/config.go
@@ -17,7 +17,7 @@ const (
 	// NoMoveProcess used as cobra.Annotation when command doesn't need Podman to be moved to a separate cgroup
 	NoMoveProcess = "NoMoveProcess"
 
-	// ParentNSRequired used as cobra.Annotation when command requires root access
+	// ParentNSRequired used as cobra.Annotation when a command should not be run in the podman rootless user namespace, also requires updates in `pkg/rootless/rootless_linux.c` in function `can_use_shortcut()` to exclude the command name there.
 	ParentNSRequired = "ParentNSRequired"
 
 	// UnshareNSRequired used as cobra.Annotation when command requires modified user namespace

From 2860d55c97fe2742fef2bc7f2c20725797ed2888 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Thu, 2 Mar 2023 22:15:39 +0100
Subject: [PATCH 2/3] cmd: drop special handling for "scp"

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 cmd/podman/images/scp.go | 3 +--
 cmd/podman/main.go       | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/cmd/podman/images/scp.go b/cmd/podman/images/scp.go
index 18899d2515..409dd70718 100644
--- a/cmd/podman/images/scp.go
+++ b/cmd/podman/images/scp.go
@@ -15,8 +15,7 @@ var (
 	imageScpCommand    = &cobra.Command{
 		Use: "scp [options] IMAGE [HOST::]",
 		Annotations: map[string]string{
-			registry.UnshareNSRequired: "",
-			registry.ParentNSRequired:  "",
+			registry.ParentNSRequired: "",
 		},
 		Long:              saveScpDescription,
 		Short:             "securely copy images",
diff --git a/cmd/podman/main.go b/cmd/podman/main.go
index 14b30d47a3..6110e77fcc 100644
--- a/cmd/podman/main.go
+++ b/cmd/podman/main.go
@@ -76,7 +76,7 @@ func parseCommands() *cobra.Command {
 		// Command cannot be run rootless
 		_, found := c.Command.Annotations[registry.UnshareNSRequired]
 		if found {
-			if rootless.IsRootless() && os.Getuid() != 0 && c.Command.Name() != "scp" {
+			if rootless.IsRootless() && os.Getuid() != 0 {
 				c.Command.RunE = func(cmd *cobra.Command, args []string) error {
 					return fmt.Errorf("cannot run command %q in rootless mode, must execute `podman unshare` first", cmd.CommandPath())
 				}

From 0498ce3a569900301591cf09dc84c86e0bc9fe81 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Thu, 2 Mar 2023 22:18:25 +0100
Subject: [PATCH 3/3] cmd: do not require userns for "version"

Closes: https://github.com/containers/podman/issues/17657

[NO NEW TESTS NEEDED]

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 cmd/podman/system/version.go  | 3 +++
 pkg/rootless/rootless_linux.c | 1 +
 2 files changed, 4 insertions(+)

diff --git a/cmd/podman/system/version.go b/cmd/podman/system/version.go
index 33ab0f757e..28bae1d55e 100644
--- a/cmd/podman/system/version.go
+++ b/cmd/podman/system/version.go
@@ -22,6 +22,9 @@ var (
 		Short:             "Display the Podman version information",
 		RunE:              version,
 		ValidArgsFunction: completion.AutocompleteNone,
+		Annotations: map[string]string{
+			registry.ParentNSRequired: "",
+		},
 	}
 	versionFormat string
 )
diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c
index 7e8b3f78a6..d4273185a0 100644
--- a/pkg/rootless/rootless_linux.c
+++ b/pkg/rootless/rootless_linux.c
@@ -386,6 +386,7 @@ can_use_shortcut (char **argv)
 
       if (strcmp (argv[argc], "mount") == 0
           || strcmp (argv[argc], "machine") == 0
+          || strcmp (argv[argc], "version") == 0
           || strcmp (argv[argc], "context") == 0
           || strcmp (argv[argc], "search") == 0
           || (strcmp (argv[argc], "system") == 0 && argv[argc+1] && strcmp (argv[argc+1], "service") != 0))