Enforce namespace checks on container add

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

libpod/boltdb_state_internal.go

@@ -266,6 +266,11 @@ func (s *BoltState) getPodFromDB(id []byte, pod *Pod, podBkt *bolt.Bucket) error
 // Add a container to the DB
 // If pod is not nil, the container is added to the pod as well
 func (s *BoltState) addContainer(ctr *Container, pod *Pod) error {
+	if s.namespace != "" && s.namespace != ctr.config.Namespace {
+		return errors.Wrapf(ErrNSMismatch, "cannot add container %s as it is in namespace %q and we are in namespace %q",
+			ctr.ID(), s.namespace, ctr.config.Namespace)
+	}
+
 	// JSON container structs to insert into DB
 	// TODO use a higher-performance struct encoding than JSON
 	configJSON, err := json.Marshal(ctr.config)

libpod/in_memory_state.go

@@ -172,6 +172,10 @@ func (s *InMemoryState) AddContainer(ctr *Container) error {
 		return errors.Wrapf(ErrInvalidArg, "cannot add a container that is in a pod with AddContainer, use AddContainerToPod")
 	}
 
+	if err := s.checkNSMatch(ctr.ID(), ctr.Namespace()); err != nil {
+		return err
+	}
+
 	// There are potential race conditions with this
 	// But in-memory state is intended purely for testing and not production
 	// use, so this should be fine.
@@ -692,6 +696,10 @@ func (s *InMemoryState) AddContainerToPod(pod *Pod, ctr *Container) error {
 			ctr.ID(), ctr.config.Namespace, pod.ID(), pod.config.Namespace)
 	}
 
+	if err := s.checkNSMatch(ctr.ID(), ctr.Namespace()); err != nil {
+		return err
+	}
+
 	// Retrieve pod containers list
 	podCtrs, ok := s.podContainers[pod.ID()]
 	if !ok {

libpod/state_test.go

@@ -331,6 +331,45 @@ func TestAddCtrDepInDifferentNamespaceFails(t *testing.T) {
 	})
 }
 
+func TestAddCtrSameNamespaceSucceeds(t *testing.T) {
+	runForAllStates(t, func(t *testing.T, state State, lockPath string) {
+		testCtr, err := getTestCtr1(lockPath)
+		assert.NoError(t, err)
+
+		testCtr.config.Namespace = "test1"
+
+		state.SetNamespace("test1")
+
+		err = state.AddContainer(testCtr)
+		assert.NoError(t, err)
+
+		retrievedCtr, err := state.Container(testCtr.ID())
+		assert.NoError(t, err)
+
+		testContainersEqual(t, testCtr, retrievedCtr)
+	})
+}
+
+func TestAddCtrDifferentNamespaceFails(t *testing.T) {
+	runForAllStates(t, func(t *testing.T, state State, lockPath string) {
+		testCtr, err := getTestCtr1(lockPath)
+		assert.NoError(t, err)
+
+		testCtr.config.Namespace = "test1"
+
+		state.SetNamespace("test2")
+
+		err = state.AddContainer(testCtr)
+		assert.Error(t, err)
+
+		state.SetNamespace("")
+
+		ctrs, err := state.AllContainers()
+		assert.NoError(t, err)
+		assert.Equal(t, 0, len(ctrs))
+	})
+}
+
 func TestGetNonexistentContainerFails(t *testing.T) {
 	runForAllStates(t, func(t *testing.T, state State, lockPath string) {
 		_, err := state.Container("does not exist")
@@ -2493,7 +2532,7 @@ func TestRemoveContainersNotInNamespace(t *testing.T) {
 
 		state.SetNamespace("test2")
 
-		err := state.RemovePodContainers(testPod)
+		err = state.RemovePodContainers(testPod)
 		assert.Error(t, err)
 	})
 }
@@ -3019,6 +3058,61 @@ func TestAddContainerToPodNamespaceOnPodFails(t *testing.T) {
 	})
 }
 
+func TestAddCtrToPodSameNamespaceSucceeds(t *testing.T) {
+	runForAllStates(t, func(t *testing.T, state State, lockPath string) {
+		testCtr, err := getTestCtr1(lockPath)
+		assert.NoError(t, err)
+
+		testPod, err := getTestPod2(lockPath)
+		assert.NoError(t, err)
+
+		testCtr.config.Namespace = "test1"
+		testPod.config.Namespace = "test1"
+		testCtr.config.Pod = testPod.ID()
+
+		err = state.AddPod(testPod)
+		assert.NoError(t, err)
+
+		state.SetNamespace("test1")
+
+		err = state.AddContainerToPod(testPod, testCtr)
+		assert.NoError(t, err)
+
+		retrievedCtr, err := state.Container(testCtr.ID())
+		assert.NoError(t, err)
+
+		testContainersEqual(t, testCtr, retrievedCtr)
+	})
+}
+
+func TestAddCtrToPodDifferentNamespaceFails(t *testing.T) {
+	runForAllStates(t, func(t *testing.T, state State, lockPath string) {
+		testCtr, err := getTestCtr1(lockPath)
+		assert.NoError(t, err)
+
+		testPod, err := getTestPod2(lockPath)
+		assert.NoError(t, err)
+
+		testCtr.config.Namespace = "test1"
+		testPod.config.Namespace = "test1"
+		testCtr.config.Pod = testPod.ID()
+
+		state.AddPod(testPod)
+		assert.NoError(t, err)
+
+		state.SetNamespace("test2")
+
+		err = state.AddContainerToPod(testPod, testCtr)
+		assert.Error(t, err)
+
+		state.SetNamespace("")
+
+		ctrs, err := state.AllContainers()
+		assert.NoError(t, err)
+		assert.Equal(t, 0, len(ctrs))
+	})
+}
+
 func TestRemoveContainerFromPodBadPodFails(t *testing.T) {
 	runForAllStates(t, func(t *testing.T, state State, lockPath string) {
 		testCtr, err := getTestCtr1(lockPath)
@@ -3291,7 +3385,7 @@ func TestUpdatePodNotInNamespaceFails(t *testing.T) {
 
 		state.SetNamespace("test2")
 
-		_, err = state.UpdatePod(testPod)
+		err = state.UpdatePod(testPod)
 		assert.Error(t, err)
 	})
 }
@@ -3325,7 +3419,7 @@ func TestSavePodNotInNamespaceFails(t *testing.T) {
 
 		state.SetNamespace("test2")
 
-		_, err = state.SavePod(testPod)
+		err = state.SavePod(testPod)
 		assert.Error(t, err)
 	})
 }