From c81f075f436466092372dec7a19c35fe387fe8d3 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 18 Jun 2024 17:05:01 +0200
Subject: [PATCH] libpod: do not chmod bind mounts

with the new mount API is available, the OCI runtime doesn't require
that each parent directory for a bind mount must be accessible.
Instead it is opened in the initial user namespace and passed down to
the container init process.

This requires that the kernel supports the new mount API and that the
OCI runtime uses it.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 libpod/container_internal_common.go | 9 ---------
 libpod/oci_conmon_common.go         | 8 +++-----
 2 files changed, 3 insertions(+), 14 deletions(-)

diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go
index 70f6f741f5..65afbf0274 100644
--- a/libpod/container_internal_common.go
+++ b/libpod/container_internal_common.go
@@ -1917,15 +1917,6 @@ func (c *Container) makeBindMounts() error {
 					return fmt.Errorf("assigning mounts to container %s: %w", c.ID(), err)
 				}
 			}
-
-			if !hasCurrentUserMapped(c) {
-				if err := makeAccessible(resolvPath, c.RootUID(), c.RootGID()); err != nil {
-					return err
-				}
-				if err := makeAccessible(hostsPath, c.RootUID(), c.RootGID()); err != nil {
-					return err
-				}
-			}
 		} else {
 			if !c.config.UseImageResolvConf {
 				if err := c.createResolvConf(); err != nil {
diff --git a/libpod/oci_conmon_common.go b/libpod/oci_conmon_common.go
index 548286af0f..d72f7eb14c 100644
--- a/libpod/oci_conmon_common.go
+++ b/libpod/oci_conmon_common.go
@@ -183,16 +183,14 @@ func hasCurrentUserMapped(ctr *Container) bool {
 
 // CreateContainer creates a container.
 func (r *ConmonOCIRuntime) CreateContainer(ctr *Container, restoreOptions *ContainerCheckpointOptions) (int64, error) {
-	// always make the run dir accessible to the current user so that the PID files can be read without
+	// always make the container directory accessible to the current user so that the PID files can be read without
 	// being in the rootless user namespace.
 	if err := makeAccessible(ctr.state.RunDir, 0, 0); err != nil {
 		return 0, err
 	}
 	if !hasCurrentUserMapped(ctr) {
-		for _, i := range []string{ctr.state.RunDir, ctr.runtime.config.Engine.TmpDir, ctr.config.StaticDir, ctr.state.Mountpoint, ctr.runtime.config.Engine.VolumePath} {
-			if err := makeAccessible(i, ctr.RootUID(), ctr.RootGID()); err != nil {
-				return 0, err
-			}
+		if err := makeAccessible(ctr.state.Mountpoint, ctr.RootUID(), ctr.RootGID()); err != nil {
+			return 0, err
 		}
 
 		// if we are running a non privileged container, be sure to umount some kernel paths so they are not