libpod: force rootfs for OCI path with idmap

when a --rootfs is specified with idmap, always use the specified
rootfs since we need a new mount on top of the original directory.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

libpod/container_internal.go

@@ -2374,7 +2374,7 @@ func (c *Container) setupOCIHooks(ctx context.Context, config *spec.Spec) (map[s
 // the container's mountpoint directly from the storage.
 // Otherwise, it returns an intermediate mountpoint that is accessible to anyone.
 func (c *Container) getRootPathForOCI() (string, error) {
-	if hasCurrentUserMapped(c) {
+	if hasCurrentUserMapped(c) || c.config.RootfsMapping != nil {
 		return c.state.Mountpoint, nil
 	}
 	return c.getIntermediateMountpointUser()

libpod/oci_conmon_common.go

@@ -183,7 +183,7 @@ func hasCurrentUserMapped(ctr *Container) bool {
 
 // CreateContainer creates a container.
 func (r *ConmonOCIRuntime) CreateContainer(ctr *Container, restoreOptions *ContainerCheckpointOptions) (int64, error) {
-	if !hasCurrentUserMapped(ctr) {
+	if !hasCurrentUserMapped(ctr) || ctr.config.RootfsMapping != nil {
 		// if we are running a non privileged container, be sure to umount some kernel paths so they are not
 		// bind mounted inside the container at all.
 		hideFiles := !ctr.config.Privileged && !rootless.IsRootless()