opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-12-05 04:40:47 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add support for --userns=nomap

Browse Source 
From a security point of view, it would be nice to be able to map a
rootless usernamespace that does not use your own UID within the
container.

This would add protection against a hostile process escapping the
container and reading content in your homedir.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2022-04-13 14:06:05 -04:00
parent 121dde6234
commit 80c0fceb24
17 changed files with 270 additions and 126 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
test/e2e/run_userns_test.go
View File

@@ -78,12 +78,18 @@ var _ = Describe("Podman UserNS support", func() {
It("podman --userns=keep-id", func() {
session := podmanTest.Podman([]string{"run", "--userns=keep-id", "alpine", "id", "-u"})
session.WaitWithDefaultTimeout()
if os.Geteuid() == 0 {
Expect(session).Should(Exit(125))
return
}
Expect(session).Should(Exit(0))
uid := fmt.Sprintf("%d", os.Geteuid())
Expect(session.OutputToString()).To(ContainSubstring(uid))
})
It("podman --userns=keep-id check passwd", func() {
SkipIfNotRootless("keep-id only works in rootless mode")
session := podmanTest.Podman([]string{"run", "--userns=keep-id", "alpine", "id", "-un"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
@@ -93,6 +99,7 @@ var _ = Describe("Podman UserNS support", func() {
})
It("podman --userns=keep-id root owns /usr", func() {
SkipIfNotRootless("keep-id only works in rootless mode")
session := podmanTest.Podman([]string{"run", "--userns=keep-id", "alpine", "stat", "-c%u", "/usr"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
@@ -100,6 +107,7 @@ var _ = Describe("Podman UserNS support", func() {
})
It("podman --userns=keep-id --user root:root", func() {
SkipIfNotRootless("keep-id only works in rootless mode")
session := podmanTest.Podman([]string{"run", "--userns=keep-id", "--user", "root:root", "alpine", "id", "-u"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
@@ -107,10 +115,7 @@ var _ = Describe("Podman UserNS support", func() {
})
It("podman run --userns=keep-id can add users", func() {
if os.Geteuid() == 0 {
Skip("Test only runs without root")
}
SkipIfNotRootless("keep-id only works in rootless mode")
userName := os.Getenv("USER")
if userName == "" {
Skip("Can't complete test if no username available")