From e7eb97b84a1f3ec2d7aa1d6959eb0eaf948d9efc Mon Sep 17 00:00:00 2001 From: Karuboniru Date: Sat, 9 Dec 2023 20:16:38 +0000 Subject: [PATCH 1/2] fix checking of relative idmapped mount Like stated in [PR for crun](https://github.com/containers/crun/pull/1372) that HostID is what being mapped here, so we should be checking `HostID` instead of `ContainerID`. `v.ContainerID` here is the id of owner of files on filesystem, that can be totally unrelated to the uid maps. Signed-off-by: Karuboniru --- libpod/container_internal_common.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go index b66268765b..bb04850d4f 100644 --- a/libpod/container_internal_common.go +++ b/libpod/container_internal_common.go @@ -86,7 +86,7 @@ func parseOptionIDs(ctrMappings []idtools.IDMap, option string) ([]idtools.IDMap if relative { found := false for _, m := range ctrMappings { - if v.ContainerID >= m.ContainerID && v.ContainerID < m.ContainerID+m.Size { + if v.HostID >= m.ContainerID && v.HostID < m.ContainerID+m.Size { v.HostID += m.HostID - m.ContainerID found = true break From 23f6c485152995f935cc63c4b46c7154b4746f73 Mon Sep 17 00:00:00 2001 From: Karuboniru Date: Sun, 10 Dec 2023 13:03:20 +0000 Subject: [PATCH 2/2] Add test for relative idmap mount Signed-off-by: Karuboniru --- test/system/030-run.bats | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 30949e390d..99b9221ba5 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -1251,6 +1251,11 @@ EOF run_podman run --uidmap=0:1000:10000 --rm --rootfs "$romount:idmap=uids=0-1001-10000;gids=0-1002-10000" stat -c %u:%g /bin is "$output" "1:2" + touch $romount/testfile + chown 2000:2000 $romount/testfile + run_podman run --uidmap=0:1000:2 --rm --rootfs "$romount:idmap=uids=@2000-1-1;gids=@2000-1-1" stat -c %u:%g /testfile + is "$output" "1:1" + rm -rf $romount }