containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

libpod: hasCurrentUserMapped checks for gid too 

the kernel checks that both the uid and the gid are mapped inside the
user namespace, not only the uid:

/**
 * privileged_wrt_inode_uidgid - Do capabilities in the namespace work over the inode?
 * @ns: The user namespace in question
 * @idmap: idmap of the mount @inode was found from
 * @inode: The inode in question
 *
 * Return true if the inode uid and gid are within the namespace.
 */
bool privileged_wrt_inode_uidgid(struct user_namespace *ns,
				 struct mnt_idmap *idmap,
				 const struct inode *inode)
{
	return vfsuid_has_mapping(ns, i_uid_into_vfsuid(idmap, inode)) &&
	       vfsgid_has_mapping(ns, i_gid_into_vfsgid(idmap, inode));
}

for this reason, improve the check for hasCurrentUserMapped to verify
that the gid is also mapped, and if it is not, use an intermediate
mount for the container rootfs.

Closes: https://github.com/containers/podman/issues/24159

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano 2024-10-04 16:09:54 +02:00
parent 08cbd38994
commit e46ae46f18
No known key found for this signature in database
GPG Key ID: 67E38F7A8BA21772
2 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libpod/oci_conmon_common.go
View File

@ -34,6 +34,7 @@ import (
"github.com/containers/podman/v5/pkg/specgenutil" "github.com/containers/podman/v5/pkg/specgenutil"
"github.com/containers/podman/v5/pkg/util" "github.com/containers/podman/v5/pkg/util"
"github.com/containers/podman/v5/utils" "github.com/containers/podman/v5/utils"
"github.com/containers/storage/pkg/idtools"
spec "github.com/opencontainers/runtime-spec/specs-go" spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
@ -172,14 +173,16 @@ func hasCurrentUserMapped(ctr *Container) bool {
if len(ctr.config.IDMappings.UIDMap) == 0 && len(ctr.config.IDMappings.GIDMap) == 0 { if len(ctr.config.IDMappings.UIDMap) == 0 && len(ctr.config.IDMappings.GIDMap) == 0 {
return true return true
} }
uid := os.Geteuid() containsID := func(id int, mappings []idtools.IDMap) bool {
for _, m := range ctr.config.IDMappings.UIDMap { for _, m := range mappings {
if uid >= m.HostID && uid < m.HostID+m.Size { if id >= m.HostID && id < m.HostID+m.Size {
return true return true
} }
} }
return false return false
} }
return containsID(os.Geteuid(), ctr.config.IDMappings.UIDMap) && containsID(os.Getegid(), ctr.config.IDMappings.GIDMap)
}
// CreateContainer creates a container. // CreateContainer creates a container.
func (r *ConmonOCIRuntime) CreateContainer(ctr *Container, restoreOptions *ContainerCheckpointOptions) (int64, error) { func (r *ConmonOCIRuntime) CreateContainer(ctr *Container, restoreOptions *ContainerCheckpointOptions) (int64, error) {

12
test/system/170-run-userns.bats
View File

@ -169,3 +169,15 @@ EOF
run_podman run --rm --userns=auto:uidmapping=$mapping $IMAGE awk '{if($1 == 1){print $2}}' /proc/self/uid_map run_podman run --rm --userns=auto:uidmapping=$mapping $IMAGE awk '{if($1 == 1){print $2}}' /proc/self/uid_map
assert "$output" == 1 assert "$output" == 1
} }
# bats test_tags=ci:parallel
@test "podman current user not mapped in the userns" {
# both uid and gid not mapped
run_podman run --rm --uidmap 0:1:1000 $IMAGE true
# uid not mapped
run_podman run --rm --uidmap 0:1:1000 --gidmap 0:0:1000 $IMAGE true
# gid not mapped
run_podman run --rm --uidmap 0:0:1000 --gidmap 0:1:1000 $IMAGE true
}