libpod: hasCurrentUserMapped checks for gid too

the kernel checks that both the uid and the gid are mapped inside the user namespace, not only the uid: /** * privileged_wrt_inode_uidgid - Do capabilities in the namespace work over the inode? * @ns: The user namespace in question * @idmap: idmap of the mount @iNode was found from * @iNode: The inode in question * * Return true if the inode uid and gid are within the namespace. */ bool privileged_wrt_inode_uidgid(struct user_namespace *ns, struct mnt_idmap *idmap, const struct inode *inode) { return vfsuid_has_mapping(ns, i_uid_into_vfsuid(idmap, inode)) && vfsgid_has_mapping(ns, i_gid_into_vfsgid(idmap, inode)); } for this reason, improve the check for hasCurrentUserMapped to verify that the gid is also mapped, and if it is not, use an intermediate mount for the container rootfs. Closes: #24159 Signed-off-by: Giuseppe Scrivano <[email protected]>
containers · Oct 4, 2024 · e46ae46 · e46ae46
1 parent 08cbd38
commit e46ae46
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 5 deletions.
diff --git a/libpod/oci_conmon_common.go b/libpod/oci_conmon_common.go
@@ -34,6 +34,7 @@ import (
 	"github.com/containers/podman/v5/pkg/specgenutil"
 	"github.com/containers/podman/v5/pkg/util"
 	"github.com/containers/podman/v5/utils"
+	"github.com/containers/storage/pkg/idtools"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
@@ -172,13 +173,15 @@ func hasCurrentUserMapped(ctr *Container) bool {
 	if len(ctr.config.IDMappings.UIDMap) == 0 && len(ctr.config.IDMappings.GIDMap) == 0 {
 		return true
 	}
-	uid := os.Geteuid()
-	for _, m := range ctr.config.IDMappings.UIDMap {
-		if uid >= m.HostID && uid < m.HostID+m.Size {
-			return true
+	containsID := func(id int, mappings []idtools.IDMap) bool {
+		for _, m := range mappings {
+			if id >= m.HostID && id < m.HostID+m.Size {
+				return true
+			}
 		}
+		return false
 	}
-	return false
+	return containsID(os.Geteuid(), ctr.config.IDMappings.UIDMap) && containsID(os.Getegid(), ctr.config.IDMappings.GIDMap)
 }
 
 // CreateContainer creates a container.

diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats
@@ -169,3 +169,15 @@ EOF
     run_podman run --rm --userns=auto:uidmapping=$mapping $IMAGE awk '{if($1 == 1){print $2}}' /proc/self/uid_map
     assert "$output" == 1
 }
+
+# bats test_tags=ci:parallel
+@test "podman current user not mapped in the userns" {
+    # both uid and gid not mapped
+    run_podman run --rm --uidmap 0:1:1000 $IMAGE true
+
+    # uid not mapped
+    run_podman run --rm --uidmap 0:1:1000 --gidmap 0:0:1000 $IMAGE true
+
+    # gid not mapped
+    run_podman run --rm --uidmap 0:0:1000 --gidmap 0:1:1000 $IMAGE true
+}