opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-22 18:08:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20802 from rhatdan/chown

Browse Source 
Use idtools.SafeChown and SafeLchown everywhere
This commit is contained in:
openshift-merge-bot[bot]
2023-11-28 11:02:25 +00:00
committed by GitHub
parent 720a0ead3a c8f262fec9
commit 8387d2dfaa
2 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
libpod/container_internal.go
View File

@ -535,11 +535,11 @@ func (c *Container) setupStorage(ctx context.Context) error {
c.state.RunDir = containerInfo.RunDir c.state.RunDir = containerInfo.RunDir
if len(c.config.IDMappings.UIDMap) != 0 || len(c.config.IDMappings.GIDMap) != 0 { if len(c.config.IDMappings.UIDMap) != 0 || len(c.config.IDMappings.GIDMap) != 0 {
if err := os.Chown(containerInfo.RunDir, c.RootUID(), c.RootGID()); err != nil { if err := idtools.SafeChown(containerInfo.RunDir, c.RootUID(), c.RootGID()); err != nil {
return err return err
} }
if err := os.Chown(containerInfo.Dir, c.RootUID(), c.RootGID()); err != nil { if err := idtools.SafeChown(containerInfo.Dir, c.RootUID(), c.RootGID()); err != nil {
return err return err
} }
} }
@ -681,7 +681,7 @@ func (c *Container) refresh() error {
if err := os.MkdirAll(root, 0755); err != nil { if err := os.MkdirAll(root, 0755); err != nil {
return fmt.Errorf("creating userNS tmpdir for container %s: %w", c.ID(), err) return fmt.Errorf("creating userNS tmpdir for container %s: %w", c.ID(), err)
} }
if err := os.Chown(root, c.RootUID(), c.RootGID()); err != nil { if err := idtools.SafeChown(root, c.RootUID(), c.RootGID()); err != nil {
return err return err
} }
} }
@ -1578,7 +1578,7 @@ func (c *Container) mountStorage() (_ string, deferredErr error) {
if err := c.mountSHM(shmOptions); err != nil { if err := c.mountSHM(shmOptions); err != nil {
return "", err return "", err
} }
if err := os.Chown(c.config.ShmDir, c.RootUID(), c.RootGID()); err != nil { if err := idtools.SafeChown(c.config.ShmDir, c.RootUID(), c.RootGID()); err != nil {
return "", fmt.Errorf("failed to chown %s: %w", c.config.ShmDir, err) return "", fmt.Errorf("failed to chown %s: %w", c.config.ShmDir, err)
} }
defer func() { defer func() {
@ -2325,7 +2325,7 @@ func (c *Container) mount() (string, error) {
if err != nil { if err != nil {
return "", fmt.Errorf("resolving storage path for container %s: %w", c.ID(), err) return "", fmt.Errorf("resolving storage path for container %s: %w", c.ID(), err)
} }
if err := os.Chown(mountPoint, c.RootUID(), c.RootGID()); err != nil { if err := idtools.SafeChown(mountPoint, c.RootUID(), c.RootGID()); err != nil {
return "", fmt.Errorf("cannot chown %s to %d:%d: %w", mountPoint, c.RootUID(), c.RootGID(), err) return "", fmt.Errorf("cannot chown %s to %d:%d: %w", mountPoint, c.RootUID(), c.RootGID(), err)
} }
return mountPoint, nil return mountPoint, nil
@ -2508,7 +2508,7 @@ func (c *Container) extractSecretToCtrStorage(secr *ContainerSecret) error {
if err != nil { if err != nil {
return fmt.Errorf("unable to create %s: %w", secretFile, err) return fmt.Errorf("unable to create %s: %w", secretFile, err)
} }
if err := os.Lchown(secretFile, int(hostUID), int(hostGID)); err != nil { if err := idtools.SafeLchown(secretFile, int(hostUID), int(hostGID)); err != nil {
return err return err
} }
if err := os.Chmod(secretFile, os.FileMode(secr.Mode)); err != nil { if err := os.Chmod(secretFile, os.FileMode(secr.Mode)); err != nil {

12
libpod/container_internal_common.go
View File

@ -795,7 +795,7 @@ func (c *Container) resolveWorkDir() error {
if err != nil { if err != nil {
return fmt.Errorf("looking up %s inside of the container %s: %w", c.User(), c.ID(), err) return fmt.Errorf("looking up %s inside of the container %s: %w", c.User(), c.ID(), err)
} }
if err := os.Chown(resolvedWorkdir, int(uid), int(gid)); err != nil { if err := idtools.SafeChown(resolvedWorkdir, int(uid), int(gid)); err != nil {
return fmt.Errorf("chowning container %s workdir to container root: %w", c.ID(), err) return fmt.Errorf("chowning container %s workdir to container root: %w", c.ID(), err)
} }
@ -1820,7 +1820,7 @@ func (c *Container) mountIntoRootDirs(mountName string, mountPath string) error
// Make standard bind mounts to include in the container // Make standard bind mounts to include in the container
func (c *Container) makeBindMounts() error { func (c *Container) makeBindMounts() error {
if err := os.Chown(c.state.RunDir, c.RootUID(), c.RootGID()); err != nil { if err := idtools.SafeChown(c.state.RunDir, c.RootUID(), c.RootGID()); err != nil {
return fmt.Errorf("cannot chown run directory: %w", err) return fmt.Errorf("cannot chown run directory: %w", err)
} }
@ -2285,7 +2285,7 @@ func (c *Container) addHosts() error {
// It will also add the path to the container bind mount map. // It will also add the path to the container bind mount map.
// source is the path on the host, dest is the path in the container. // source is the path on the host, dest is the path in the container.
func (c *Container) bindMountRootFile(source, dest string) error { func (c *Container) bindMountRootFile(source, dest string) error {
if err := os.Chown(source, c.RootUID(), c.RootGID()); err != nil { if err := idtools.SafeChown(source, c.RootUID(), c.RootGID()); err != nil {
return err return err
} }
if err := c.relabel(source, c.MountLabel(), false); err != nil { if err := c.relabel(source, c.MountLabel(), false); err != nil {
@ -2827,7 +2827,7 @@ func (c *Container) createSecretMountDir(runPath string) error {
if err := c.relabel(src, c.config.MountLabel, false); err != nil { if err := c.relabel(src, c.config.MountLabel, false); err != nil {
return err return err
} }
if err := os.Chown(src, c.RootUID(), c.RootGID()); err != nil { if err := idtools.SafeChown(src, c.RootUID(), c.RootGID()); err != nil {
return err return err
} }
c.state.BindMounts[filepath.Join(runPath, "secrets")] = src c.state.BindMounts[filepath.Join(runPath, "secrets")] = src
@ -2886,7 +2886,7 @@ func (c *Container) fixVolumePermissions(v *ContainerNamedVolume) error {
return err return err
} }
if err := os.Lchown(mountPoint, uid, gid); err != nil { if err := idtools.SafeLchown(mountPoint, uid, gid); err != nil {
return err return err
} }
@ -2895,7 +2895,7 @@ func (c *Container) fixVolumePermissions(v *ContainerNamedVolume) error {
st, err := os.Lstat(filepath.Join(c.state.Mountpoint, v.Dest)) st, err := os.Lstat(filepath.Join(c.state.Mountpoint, v.Dest))
if err == nil { if err == nil {
if stat, ok := st.Sys().(*syscall.Stat_t); ok { if stat, ok := st.Sys().(*syscall.Stat_t); ok {
if err := os.Lchown(mountPoint, int(stat.Uid), int(stat.Gid)); err != nil { if err := idtools.SafeLchown(mountPoint, int(stat.Uid), int(stat.Gid)); err != nil {
return err return err
} }
} }