oci_conmon: not make accessible dirs if not needed

do not change the permissions mask for the rundir and the tmpdir when running a container with a user namespace and the current user is mapped inside the user namespace. The change was introduced with 849548f, that dropped the intermediate mount namespace in favor of allowing root into the user namespace to access these directories. Closes: #4846 Signed-off-by: Giuseppe Scrivano <[email protected]>
containers · Jan 14, 2020 · 6818504 · 6818504
1 parent 79ec2a9
commit 6818504
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
@@ -149,9 +149,23 @@ func (r *ConmonOCIRuntime) Path() string {
 	return r.path
 }
 
+// hasCurrentUserMapped checks whether the current user is mapped inside the container user namespace
+func hasCurrentUserMapped(ctr *Container) bool {
+	if len(ctr.config.IDMappings.UIDMap) == 0 && len(ctr.config.IDMappings.GIDMap) == 0 {
+		return true
+	}
+	uid := os.Geteuid()
+	for _, m := range ctr.config.IDMappings.UIDMap {
+		if uid >= m.HostID && uid < m.HostID+m.Size {
+			return true
+		}
+	}
+	return false
+}
+
 // CreateContainer creates a container.
 func (r *ConmonOCIRuntime) CreateContainer(ctr *Container, restoreOptions *ContainerCheckpointOptions) (err error) {
-	if len(ctr.config.IDMappings.UIDMap) != 0 || len(ctr.config.IDMappings.GIDMap) != 0 {
+	if !hasCurrentUserMapped(ctr) {
 		for _, i := range []string{ctr.state.RunDir, ctr.runtime.config.TmpDir, ctr.config.StaticDir, ctr.state.Mountpoint, ctr.runtime.config.VolumePath} {
 			if err := makeAccessible(i, ctr.RootUID(), ctr.RootGID()); err != nil {
 				return err