libpod: correctly map UID/GID for existing dirs

if the target mount path already exists and the container uses a user namespace, correctly map the target UID/GID to the host values before attempting a chown. Closes: https://github.com/containers/podman/issues/21608 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-06-27 21:50:18 +08:00 · 2024-02-12 10:54:21 +01:00
parent 6d107a26fb
commit c29fde2656
2 changed files with 32 additions and 1 deletions
--- a/libpod/container_internal_common.go
+++ b/libpod/container_internal_common.go
@ -2865,7 +2865,22 @@ func (c *Container) fixVolumePermissions(v *ContainerNamedVolume) error {
 		st, err := os.Lstat(filepath.Join(c.state.Mountpoint, v.Dest))
 		if err == nil {
 			if stat, ok := st.Sys().(*syscall.Stat_t); ok {
-				if err := idtools.SafeLchown(mountPoint, int(stat.Uid), int(stat.Gid)); err != nil {
+				uid, gid := int(stat.Uid), int(stat.Gid)
+
+				if c.config.IDMappings.UIDMap != nil {
+					p := idtools.IDPair{
+						UID: uid,
+						GID: gid,
+					}
+					mappings := idtools.NewIDMappingsFromMaps(c.config.IDMappings.UIDMap, c.config.IDMappings.GIDMap)
+					newUID, newGID, err := mappings.ToContainer(p)
+					if err != nil {
+						return fmt.Errorf("mapping user %d:%d: %w", uid, gid, err)
+					}
+					uid, gid = newUID, newGID
+				}
+
+				if err := idtools.SafeLchown(mountPoint, uid, gid); err != nil {
 					return err
 				}
 			}