From d81319eb71215694b7c3c5e3f20f2fd27a00f582 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Sun, 31 Mar 2024 23:22:12 +0200
Subject: [PATCH] libpod: use original IDs if idmap is provided

if the volume is mounted with "idmap", there should not be any mapping
using the user namespace mappings since this is done at runtime using
the "idmap" kernel feature.

Closes: https://github.com/containers/podman/issues/22228

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 libpod/container_internal_common.go | 12 +++++++++++-
 test/system/030-run.bats            |  9 ++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go
index 3bb6dfe1eb..07627abd1e 100644
--- a/libpod/container_internal_common.go
+++ b/libpod/container_internal_common.go
@@ -2819,6 +2819,15 @@ func (c *Container) createSecretMountDir(runPath string) error {
 	return err
 }
 
+func hasIdmapOption(options []string) bool {
+	for _, o := range options {
+		if o == "idmap" || strings.HasPrefix(o, "idmap=") {
+			return true
+		}
+	}
+	return false
+}
+
 // Fix ownership and permissions of the specified volume if necessary.
 func (c *Container) fixVolumePermissions(v *ContainerNamedVolume) error {
 	vol, err := c.runtime.state.Volume(v.Name)
@@ -2842,7 +2851,8 @@ func (c *Container) fixVolumePermissions(v *ContainerNamedVolume) error {
 		uid := int(c.config.Spec.Process.User.UID)
 		gid := int(c.config.Spec.Process.User.GID)
 
-		if c.config.IDMappings.UIDMap != nil {
+		// if the volume is mounted with "idmap", leave the IDs in from the current environment.
+		if c.config.IDMappings.UIDMap != nil && !hasIdmapOption(v.Options) {
 			p := idtools.IDPair{
 				UID: uid,
 				GID: gid,
diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index 56acf6c5e1..6818fa79cd 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -1252,9 +1252,16 @@ EOF
 
     touch $romount/testfile
     chown 2000:2000 $romount/testfile
-    run_podman run --uidmap=0:1000:2 --rm --rootfs "$romount:idmap=uids=@2000-1-1;gids=@2000-1-1" stat -c %u:%g /testfile
+    run_podman run --uidmap=0:1000:200 --rm --rootfs "$romount:idmap=uids=@2000-1-1;gids=@2000-1-1" stat -c %u:%g /testfile
     is "$output" "1:1"
 
+    myvolume=my-volume-$(random_string)
+    run_podman volume create $myvolume
+    mkdir $romount/volume
+    run_podman run --rm --uidmap=0:1000:10000 -v volume:/volume:idmap --rootfs $romount stat -c %u:%g /volume
+    is "$output" "0:0"
+    run_podman volume rm $myvolume
+
     rm -rf $romount
 }