opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-22 09:58:10 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15236 from giuseppe/refuse-userns-with-uidmap

Browse Source 
cmd: refuse --userns if a mapping is specified
This commit is contained in:
OpenShift Merge Robot
2022-08-08 14:46:30 +00:00
committed by GitHub
parent 70b03400b1 2e3a192bb0
commit 9d67d907ea
2 changed files with 31 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
cmd/podman/containers/create.go
View File

@ -192,16 +192,14 @@ func replaceContainer(name string) error {
} }
func CreateInit(c *cobra.Command, vals entities.ContainerCreateOptions, isInfra bool) (entities.ContainerCreateOptions, error) { func CreateInit(c *cobra.Command, vals entities.ContainerCreateOptions, isInfra bool) (entities.ContainerCreateOptions, error) {
vals.UserNS = c.Flag("userns").Value.String() if len(vals.UIDMap) > 0 || len(vals.GIDMap) > 0 || vals.SubUIDName != "" || vals.SubGIDName != "" {
// if user did not modify --userns flag and did turn on if c.Flag("userns").Changed {
// uid/gid mappings, set userns flag to "private" return vals, errors.New("--userns and --uidmap/--gidmap/--subuidname/--subgidname are mutually exclusive")
if !c.Flag("userns").Changed && vals.UserNS == "host" {
if len(vals.UIDMap) > 0 ||
len(vals.GIDMap) > 0 ||
vals.SubUIDName != "" ||
vals.SubGIDName != "" {
vals.UserNS = "private"
} }
// force userns flag to "private"
vals.UserNS = "private"
} else {
vals.UserNS = c.Flag("userns").Value.String()
} }
if c.Flag("kernel-memory") != nil && c.Flag("kernel-memory").Changed { if c.Flag("kernel-memory") != nil && c.Flag("kernel-memory").Changed {
logrus.Warnf("The --kernel-memory flag is no longer supported. This flag is a noop.") logrus.Warnf("The --kernel-memory flag is no longer supported. This flag is a noop.")

24
test/e2e/run_userns_test.go
View File

@ -307,6 +307,30 @@ var _ = Describe("Podman UserNS support", func() {
} }
}) })
It("podman --userns= conflicts with ui[dg]map and sub[ug]idname", func() {
session := podmanTest.Podman([]string{"run", "--userns=host", "--uidmap=0:1:500", "alpine", "true"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(125))
Expect(session.ErrorToString()).To(ContainSubstring("--userns and --uidmap/--gidmap/--subuidname/--subgidname are mutually exclusive"))
session = podmanTest.Podman([]string{"run", "--userns=host", "--gidmap=0:200:5000", "alpine", "true"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(125))
Expect(session.ErrorToString()).To(ContainSubstring("--userns and --uidmap/--gidmap/--subuidname/--subgidname are mutually exclusive"))
// with sub[ug]idname we don't check for the error output since the error message could be different, depending on the
// system configuration since the specified user could not be defined and cause a different earlier error.
// In any case, make sure the command doesn't succeed.
session = podmanTest.Podman([]string{"run", "--userns=private", "--subuidname=containers", "alpine", "true"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Not(Exit(0)))
session = podmanTest.Podman([]string{"run", "--userns=private", "--subgidname=containers", "alpine", "true"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Not(Exit(0)))
})
It("podman PODMAN_USERNS", func() { It("podman PODMAN_USERNS", func() {
SkipIfNotRootless("keep-id only works in rootless mode") SkipIfNotRootless("keep-id only works in rootless mode")