containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6435 from QiWang19/uid 

check --user range for rootless containers
This commit is contained in:
OpenShift Merge Robot 2020-06-02 20:51:13 +02:00 committed by GitHub
parent 37ac21ff08 77e4b077b9
commit c4ccd7cbc1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
cmd/podman/containers/run.go
View File

@ -3,6 +3,7 @@ package containers
import (
"fmt"
"os"
"strconv"
"strings"
"github.com/containers/libpod/cmd/podman/common"
@ -10,7 +11,9 @@ import (
"github.com/containers/libpod/libpod/define"
"github.com/containers/libpod/pkg/domain/entities"
"github.com/containers/libpod/pkg/errorhandling"
"github.com/containers/libpod/pkg/rootless"
"github.com/containers/libpod/pkg/specgen"
"github.com/containers/libpod/pkg/util"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/spf13/cobra"
@ -92,6 +95,15 @@ func run(cmd *cobra.Command, args []string) error {
return err
}
if rootless.IsRootless() && !registry.IsRemote() {
userspec := strings.SplitN(cliVals.User, ":", 2)[0]
if uid, err := strconv.ParseInt(userspec, 10, 32); err == nil {
if err := util.CheckRootlessUIDRange(int(uid)); err != nil {
return err
}
}
}
if af := cliVals.Authfile; len(af) > 0 {
if _, err := os.Stat(af); err != nil {
return errors.Wrapf(err, "error checking authfile path %s", af)

5
libpod/container_internal_linux.go
View File

@ -325,6 +325,11 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
}
if c.config.User != "" {
if rootless.IsRootless() {
if err := util.CheckRootlessUIDRange(execUser.Uid); err != nil {
return nil, err
}
}
// User and Group must go together
g.SetProcessUID(uint32(execUser.Uid))
g.SetProcessGID(uint32(execUser.Gid))

16
pkg/util/utils_linux.go
View File

@ -6,6 +6,7 @@ import (
"path/filepath"
"syscall"
"github.com/containers/libpod/pkg/rootless"
"github.com/containers/psgo"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
@ -52,3 +53,18 @@ func FindDeviceNodes() (map[string]string, error) {
return nodes, nil
}
// CheckRootlessUIDRange checks the uid within the rootless container is in the range from /etc/subuid
func CheckRootlessUIDRange(uid int) error {
uids, _, err := rootless.GetConfiguredMappings()
if err != nil {
return err
}
for _, u := range uids {
// add 1 since we also map in the user's own UID
if uid > u.Size+1 {
return errors.Errorf("requested user's UID %d is too large for the rootless user namespace", uid)
}
}
return nil
}

5
pkg/util/utils_unsupported.go
View File

@ -10,3 +10,8 @@ import (
func FindDeviceNodes() (map[string]string, error) {
return nil, errors.Errorf("not supported on non-Linux OSes")
}
// CheckRootlessUIDRange is not implemented anywhere except Linux.
func CheckRootlessUIDRange(uid int) error {
return nil
}