Merge pull request #1994 from giuseppe/rootless-mount-allow-only-from-vfs

mount: allow mount only when using vfs

cmd/podman/main.go

@@ -34,6 +34,7 @@ var cmdsNotRequiringRootless = map[string]bool{
 	// If this change, please also update libpod.refreshRootless()
 	"login":   true,
 	"logout":  true,
+	"mount":   true,
 	"kill":    true,
 	"pause":   true,
 	"restart": true,

cmd/podman/mount.go

@@ -3,9 +3,11 @@ package main
 import (
 	js "encoding/json"
 	"fmt"
+	"os"
 
 	of "github.com/containers/libpod/cmd/podman/formats"
 	"github.com/containers/libpod/cmd/podman/libpodruntime"
+	"github.com/containers/libpod/pkg/rootless"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
@@ -52,6 +54,9 @@ func mountCmd(c *cli.Context) error {
 	if err := validateFlags(c, mountFlags); err != nil {
 		return err
 	}
+	if os.Geteuid() != 0 {
+		rootless.SetSkipStorageSetup(true)
+	}
 
 	runtime, err := libpodruntime.GetRuntime(c)
 	if err != nil {
@@ -59,6 +64,22 @@ func mountCmd(c *cli.Context) error {
 	}
 	defer runtime.Shutdown(false)
 
+	if os.Geteuid() != 0 {
+		if driver := runtime.GetConfig().StorageConfig.GraphDriverName; driver != "vfs" {
+			// Do not allow to mount a graphdriver that is not vfs if we are creating the userns as part
+			// of the mount command.
+			return fmt.Errorf("cannot mount using driver %s in rootless mode", driver)
+		}
+
+		became, ret, err := rootless.BecomeRootInUserNS()
+		if err != nil {
+			return err
+		}
+		if became {
+			os.Exit(ret)
+		}
+	}
+
 	formats := map[string]bool{
 		"":            true,
 		of.JSONString: true,