libpod: fix volume copyup with idmap

if idmap is specified for a volume, reverse the mappings when copying up from the container, so that the original permissions are maintained. Closes: containers#23467 Signed-off-by: Giuseppe Scrivano <[email protected]> (cherry picked from commit 3ae1568)
giuseppe · Nov 18, 2024 · c146fa1 · c146fa1
1 parent e55cef6
commit c146fa1
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
@@ -1860,6 +1860,11 @@ func (c *Container) mountNamedVolume(v *ContainerNamedVolume, mountpoint string)
 			getOptions := copier.GetOptions{
 				KeepDirectoryNames: false,
 			}
+			// If the volume is idmapped, we need to "undo" the idmapping
+			if slices.Contains(v.Options, "idmap") {
+				getOptions.UIDMap = c.config.IDMappings.UIDMap
+				getOptions.GIDMap = c.config.IDMappings.GIDMap
+			}
 			errChan <- copier.Get(srcDir, "", getOptions, []string{"/."}, writer)
 		}()
 

diff --git a/test/system/030-run.bats b/test/system/030-run.bats
@@ -1220,7 +1220,7 @@ EOF
     fi
 }
 
-@test "podman run - rootfs with idmapped mounts" {
+@test "podman run - idmapped mounts" {
     skip_if_rootless "idmapped mounts work only with root for now"
 
     skip_if_remote "userns=auto is set on the server"
@@ -1262,6 +1262,12 @@ EOF
     is "$output" "0:0"
     run_podman volume rm $myvolume
 
+    # verify that copyup with an idmap volume maintains the original ownership
+    myvolume=my-volume-$(random_string)
+    run_podman run --rm --uidmap=0:1000:10000 -v $myvolume:/etc:idmap $IMAGE stat -c %u:%g /etc/passwd
+    is "$output" "0:0"
+    run_podman volume rm $myvolume
+
     rm -rf $romount
 }