containers
/
storage
mirror of https://github.com/containers/storage.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

idmap: force PRIVATE propagation 

do not leak idmapped mounts to other namespaces, since they are meant
to be used privately by overlay.

This is already done with the default configuration, since we have a
private mount on top of the graphdriver directory, but it is not the
case when `skip_home_mount` is used.

Closes: https://issues.redhat.com/browse/OCPBUGS-49927

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano 2025-03-05 15:47:02 +01:00
parent 2dcbde6660
commit 22b679b1c0
No known key found for this signature in database
GPG Key ID: 67E38F7A8BA21772
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/idmap/idmapped_utils.go
View File

@ -33,8 +33,9 @@ func CreateIDMappedMount(source, target string, pid int) error {
if err := unix.MountSetattr(targetDirFd, "", unix.AT_EMPTY_PATH|unix.AT_RECURSIVE,
&unix.MountAttr{
Attr_set: unix.MOUNT_ATTR_IDMAP,
Userns_fd: uint64(userNsFile.Fd()),
Attr_set: unix.MOUNT_ATTR_IDMAP,
Userns_fd: uint64(userNsFile.Fd()),
Propagation: unix.MS_PRIVATE,
}); err != nil {
return &os.PathError{Op: "mount_setattr", Path: source, Err: err}
}