Merge pull request containers#13794 from rhatdan/newuidmap

If newuidmap or newgidmap fail, then check their permissions

go.mod

@@ -17,7 +17,7 @@ require (
 	github.com/containers/image/v5 v5.21.0
 	github.com/containers/ocicrypt v1.1.3
 	github.com/containers/psgo v1.7.2
-	github.com/containers/storage v1.39.1-0.20220330193934-f3200eb5a5d9
+	github.com/containers/storage v1.39.1-0.20220406221121-28f3ba9b891d
 	github.com/coreos/go-systemd/v22 v22.3.2
 	github.com/coreos/stream-metadata-go v0.0.0-20210225230131-70edb9eb47b3
 	github.com/cyphar/filepath-securejoin v0.2.3

go.sum

@@ -378,8 +378,9 @@ github.com/containers/storage v1.38.0/go.mod h1:lBzt28gAk5ADZuRtwdndRJyqX22vnRaX
 github.com/containers/storage v1.38.2/go.mod h1:INP0RPLHWBxx+pTsO5uiHlDUGHDFvWZPWprAbAlQWPQ=
 github.com/containers/storage v1.38.3-0.20220301151551-d06b0f81c0aa/go.mod h1:LkkL34WRi4dI4jt9Cp+ImdZi/P5i36glSHimT5CP5zM=
 github.com/containers/storage v1.39.0/go.mod h1:UAD0cKLouN4BOQRgZut/nMjrh/EnTCjSNPgp4ZuGWMs=
-github.com/containers/storage v1.39.1-0.20220330193934-f3200eb5a5d9 h1:fA/2FemaDv+POCJgg+QGJm84gMEDBwL5H0lDeubDJoE=
 github.com/containers/storage v1.39.1-0.20220330193934-f3200eb5a5d9/go.mod h1:IMa2AfBI+Fxxk2hQqLTGhpJX6z2pZS1/I785QJeUwUY=
+github.com/containers/storage v1.39.1-0.20220406221121-28f3ba9b891d h1:Xapzm11C1zDNPpdb/1TgTqGvnQEnDoFHUwM487r64Eo=
+github.com/containers/storage v1.39.1-0.20220406221121-28f3ba9b891d/go.mod h1:UuYvGSKIdmzkjHbT/PENtxLRVGQ974nyhMbYp0KP19w=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=

pkg/rootless/rootless_linux.go

@@ -25,6 +25,7 @@ import (
 	"github.com/containers/storage/pkg/unshare"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	"github.com/syndtr/gocapability/capability"
 	"golang.org/x/sys/unix"
 )
 
@@ -114,8 +115,14 @@ func GetRootlessGID() int {
 
 func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) error {
 	var tool = "newuidmap"
+	mode := os.ModeSetuid
+	cap := capability.CAP_SETUID
+	idtype := "setuid"
 	if !uid {
 		tool = "newgidmap"
+		mode = os.ModeSetgid
+		cap = capability.CAP_SETGID
+		idtype = "setgid"
 	}
 	path, err := exec.LookPath(tool)
 	if err != nil {
@@ -147,7 +154,13 @@ func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) err
 
 	if output, err := cmd.CombinedOutput(); err != nil {
 		logrus.Errorf("running `%s`: %s", strings.Join(args, " "), output)
-		return errors.Wrapf(err, "cannot setup namespace using %q", path)
+		errorStr := fmt.Sprintf("cannot setup namespace using %q", path)
+		if isSet, err := unshare.IsSetID(cmd.Path, mode, cap); err != nil {
+			logrus.Errorf("Failed to check for %s on %s: %v", idtype, path, err)
+		} else if !isSet {
+			errorStr = fmt.Sprintf("%s: should have %s or have filecaps %s", errorStr, idtype, idtype)
+		}
+		return errors.Wrapf(err, errorStr)
 	}
 	return nil
 }