From 90719d38f7194726aae9ff5469f23c8c0b00d6fd Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 20 Dec 2022 13:11:59 +0100
Subject: [PATCH] rootless: inhibit copy mapping for euid != 0

when running with euid != 0, inhibit the copy of the current mappings,
even if the kernel allows that.  This seems to be the expectation when
running in a Kubernetes cluster with a non-root user.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 pkg/rootless/rootless_linux.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index 67e478e739..d9bc8da52d 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -223,6 +223,11 @@ func GetConfiguredMappings(quiet bool) ([]idtools.IDMap, []idtools.IDMap, error)
 }
 
 func copyMappings(from, to string) error {
+	// when running as non-root always go through the newuidmap/newgidmap
+	// configuration since this is the expectation when running on Kubernetes
+	if os.Geteuid() != 0 {
+		return errors.New("copying mappings is allowed only for root")
+	}
 	content, err := os.ReadFile(from)
 	if err != nil {
 		return err