Merge pull request #1693 from AkihiroSuda/leave-setgroups-allow
libcontainer: allow setgroup in rootless mode
This commit is contained in:
Michael Crosby
GitHub
commit
bdbb9fab07
|
|
@ -1797,8 +1797,7 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na
|
||||||
Value: []byte(c.newgidmapPath),
|
Value: []byte(c.newgidmapPath),
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
// The following only applies if we are root.
|
if requiresRootOrMappingTool(c.config) {
|
||||||
if !c.config.Rootless {
|
|
||||||
// check if we have CAP_SETGID to setgroup properly
|
// check if we have CAP_SETGID to setgroup properly
|
||||||
pid, err := capability.NewPid(0)
|
pid, err := capability.NewPid(0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -1843,3 +1842,10 @@ func ignoreTerminateErrors(err error) error {
|
||||||
}
|
}
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func requiresRootOrMappingTool(c *configs.Config) bool {
|
||||||
|
gidMap := []configs.IDMap{
|
||||||
|
{ContainerID: 0, HostID: os.Getegid(), Size: 1},
|
||||||
|
}
|
||||||
|
return !reflect.DeepEqual(c.GidMappings, gidMap)
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -77,13 +77,13 @@ func (msg *Boolmsg) Serialize() []byte {
|
||||||
native.PutUint16(buf[0:2], uint16(msg.Len()))
|
native.PutUint16(buf[0:2], uint16(msg.Len()))
|
||||||
native.PutUint16(buf[2:4], msg.Type)
|
native.PutUint16(buf[2:4], msg.Type)
|
||||||
if msg.Value {
|
if msg.Value {
|
||||||
buf[4] = 1
|
native.PutUint32(buf[4:8], uint32(1))
|
||||||
} else {
|
} else {
|
||||||
buf[4] = 0
|
native.PutUint32(buf[4:8], uint32(0))
|
||||||
}
|
}
|
||||||
return buf
|
return buf
|
||||||
}
|
}
|
||||||
|
|
||||||
func (msg *Boolmsg) Len() int {
|
func (msg *Boolmsg) Len() int {
|
||||||
return unix.NLA_HDRLEN + 1
|
return unix.NLA_HDRLEN + 4 // alignment
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -679,17 +679,15 @@ void nsexec(void)
|
||||||
/*
|
/*
|
||||||
* Enable setgroups(2) if we've been asked to. But we also
|
* Enable setgroups(2) if we've been asked to. But we also
|
||||||
* have to explicitly disable setgroups(2) if we're
|
* have to explicitly disable setgroups(2) if we're
|
||||||
* creating a rootless container (this is required since
|
* creating a rootless container for single-entry mapping.
|
||||||
* Linux 3.19).
|
* i.e. config.is_setgroup == false.
|
||||||
|
* (this is required since Linux 3.19).
|
||||||
|
*
|
||||||
|
* For rootless multi-entry mapping, config.is_setgroup shall be true and
|
||||||
|
* newuidmap/newgidmap shall be used.
|
||||||
*/
|
*/
|
||||||
if (config.is_rootless && config.is_setgroup) {
|
|
||||||
kill(child, SIGKILL);
|
|
||||||
bail("cannot allow setgroup in an unprivileged user namespace setup");
|
|
||||||
}
|
|
||||||
|
|
||||||
if (config.is_setgroup)
|
if (config.is_rootless && !config.is_setgroup)
|
||||||
update_setgroups(child, SETGROUPS_ALLOW);
|
|
||||||
if (config.is_rootless)
|
|
||||||
update_setgroups(child, SETGROUPS_DENY);
|
update_setgroups(child, SETGROUPS_DENY);
|
||||||
|
|
||||||
/* Set up mappings. */
|
/* Set up mappings. */
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue