containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rootless: attempt to copy current mappings first 

when creating a user namespace, attempt to create it first by copying
the current mappings and then fallback to the other methods:

1) use newidmap tools and ...
2) create a user namespace with a single user mapped.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano 2021-04-19 12:21:26 +02:00
parent 24f00e4695
commit e4c269e2d0
No known key found for this signature in database
GPG Key ID: E4730F97F60286ED
1 changed files with 51 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
pkg/rootless/rootless_linux.go
View File

@ -4,6 +4,7 @@ package rootless
import ( import (
"bufio" "bufio"
"bytes"
"fmt" "fmt"
"io" "io"
"io/ioutil" "io/ioutil"
@ -18,6 +19,7 @@ import (
"github.com/containers/podman/v3/pkg/errorhandling" "github.com/containers/podman/v3/pkg/errorhandling"
"github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/unshare"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
@ -67,6 +69,15 @@ func IsRootless() bool {
} }
} }
isRootless = os.Geteuid() != 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" isRootless = os.Geteuid() != 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != ""
if !isRootless {
hasCapSysAdmin, err := unshare.HasCapSysAdmin()
if err != nil {
logrus.Warnf("failed to read CAP_SYS_ADMIN presence for the current process")
}
if err == nil && !hasCapSysAdmin {
isRootless = true
}
}
}) })
return isRootless return isRootless
} }
@ -142,8 +153,12 @@ func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) err
// namespace of the specified PID without looking up its parent. Useful to join directly // namespace of the specified PID without looking up its parent. Useful to join directly
// the conmon process. // the conmon process.
func joinUserAndMountNS(pid uint, pausePid string) (bool, int, error) { func joinUserAndMountNS(pid uint, pausePid string) (bool, int, error) {
if os.Geteuid() == 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" { hasCapSysAdmin, err := unshare.HasCapSysAdmin()
return false, -1, nil if err != nil {
return false, 0, err
}
if hasCapSysAdmin || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" {
return false, 0, nil
} }
cPausePid := C.CString(pausePid) cPausePid := C.CString(pausePid)
@ -192,8 +207,28 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) {
return uids, gids, nil return uids, gids, nil
} }
func copyMappings(from, to string) error {
content, err := ioutil.ReadFile(from)
if err != nil {
return err
}
// Both runc and crun check whether the current process is in a user namespace
// by looking up 4294967295 in /proc/self/uid_map. If the mappings would be
// copied as they are, the check in the OCI runtimes would fail. So just split
// it in two different ranges.
if bytes.Contains(content, []byte("4294967295")) {
content = []byte("0 0 1\n1 1 4294967294\n")
}
return ioutil.WriteFile(to, content, 0600)
}
func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ bool, _ int, retErr error) { func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ bool, _ int, retErr error) {
if os.Geteuid() == 0 || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" { hasCapSysAdmin, err := unshare.HasCapSysAdmin()
if err != nil {
return false, 0, err
}
if hasCapSysAdmin || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" {
if os.Getenv("_CONTAINERS_USERNS_CONFIGURED") == "init" { if os.Getenv("_CONTAINERS_USERNS_CONFIGURED") == "init" {
return false, 0, runInUser() return false, 0, runInUser()
} }
@ -250,8 +285,16 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo
return false, -1, err return false, -1, err
} }
uidMap := fmt.Sprintf("/proc/%d/uid_map", pid)
gidMap := fmt.Sprintf("/proc/%d/gid_map", pid)
uidsMapped := false uidsMapped := false
if uids != nil {
if err := copyMappings("/proc/self/uid_map", uidMap); err == nil {
uidsMapped = true
}
if uids != nil && !uidsMapped {
err := tryMappingTool(true, pid, os.Geteuid(), uids) err := tryMappingTool(true, pid, os.Geteuid(), uids)
// If some mappings were specified, do not ignore the error // If some mappings were specified, do not ignore the error
if err != nil && len(uids) > 0 { if err != nil && len(uids) > 0 {
@ -268,7 +311,6 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo
} }
logrus.Debugf("write setgroups file exited with 0") logrus.Debugf("write setgroups file exited with 0")
uidMap := fmt.Sprintf("/proc/%d/uid_map", pid)
err = ioutil.WriteFile(uidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Geteuid())), 0666) err = ioutil.WriteFile(uidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Geteuid())), 0666)
if err != nil { if err != nil {
return false, -1, errors.Wrapf(err, "cannot write uid_map") return false, -1, errors.Wrapf(err, "cannot write uid_map")
@ -277,7 +319,10 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo
} }
gidsMapped := false gidsMapped := false
if gids != nil { if err := copyMappings("/proc/self/gid_map", gidMap); err == nil {
gidsMapped = true
}
if gids != nil && !gidsMapped {
err := tryMappingTool(false, pid, os.Getegid(), gids) err := tryMappingTool(false, pid, os.Getegid(), gids)
// If some mappings were specified, do not ignore the error // If some mappings were specified, do not ignore the error
if err != nil && len(gids) > 0 { if err != nil && len(gids) > 0 {
@ -286,7 +331,6 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo
gidsMapped = err == nil gidsMapped = err == nil
} }
if !gidsMapped { if !gidsMapped {
gidMap := fmt.Sprintf("/proc/%d/gid_map", pid)
err = ioutil.WriteFile(gidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getegid())), 0666) err = ioutil.WriteFile(gidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getegid())), 0666)
if err != nil { if err != nil {
return false, -1, errors.Wrapf(err, "cannot write gid_map") return false, -1, errors.Wrapf(err, "cannot write gid_map")