Skip to content

Commit

Permalink
pkg: idtools: export RawTo{Container,Host}
Browse files Browse the repository at this point in the history
While the IDMapping methods are preferable for most users, sometimes it
is necessary to map a single ID using a given mapping. In particular
this is needed for psgo to be able to map the user and group entries in
/proc/$pid/status using the user namespace of the target process.

Required to resolve CVE-2022-1227 for Podman v3.0.1.

Signed-off-by: Aleksa Sarai <[email protected]>
Backported-by: Valentin Rothberg <[email protected]>
  • Loading branch information
cyphar authored and vrothberg committed Apr 14, 2022
1 parent eb523e6 commit 6e9b8ad
Showing 1 changed file with 22 additions and 14 deletions.
36 changes: 22 additions & 14 deletions pkg/idtools/idtools.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,26 +82,30 @@ func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) {
if len(uidMap) == 1 && uidMap[0].Size == 1 {
uid = uidMap[0].HostID
} else {
uid, err = toHost(0, uidMap)
uid, err = RawToHost(0, uidMap)
if err != nil {
return -1, -1, err
}
}
if len(gidMap) == 1 && gidMap[0].Size == 1 {
gid = gidMap[0].HostID
} else {
gid, err = toHost(0, gidMap)
gid, err = RawToHost(0, gidMap)
if err != nil {
return -1, -1, err
}
}
return uid, gid, nil
}

// toContainer takes an id mapping, and uses it to translate a
// host ID to the remapped ID. If no map is provided, then the translation
// assumes a 1-to-1 mapping and returns the passed in id
func toContainer(hostID int, idMap []IDMap) (int, error) {
// RawToContainer takes an id mapping, and uses it to translate a host ID to
// the remapped ID. If no map is provided, then the translation assumes a
// 1-to-1 mapping and returns the passed in id.
//
// If you wish to map a (uid,gid) combination you should use the corresponding
// IDMappings methods, which ensure that you are mapping the correct ID against
// the correct mapping.
func RawToContainer(hostID int, idMap []IDMap) (int, error) {
if idMap == nil {
return hostID, nil
}
Expand All @@ -114,10 +118,14 @@ func toContainer(hostID int, idMap []IDMap) (int, error) {
return -1, fmt.Errorf("Host ID %d cannot be mapped to a container ID", hostID)
}

// toHost takes an id mapping and a remapped ID, and translates the
// ID to the mapped host ID. If no map is provided, then the translation
// assumes a 1-to-1 mapping and returns the passed in id #
func toHost(contID int, idMap []IDMap) (int, error) {
// RawToHost takes an id mapping and a remapped ID, and translates the ID to
// the mapped host ID. If no map is provided, then the translation assumes a
// 1-to-1 mapping and returns the passed in id.
//
// If you wish to map a (uid,gid) combination you should use the corresponding
// IDMappings methods, which ensure that you are mapping the correct ID against
// the correct mapping.
func RawToHost(contID int, idMap []IDMap) (int, error) {
if idMap == nil {
return contID, nil
}
Expand Down Expand Up @@ -188,25 +196,25 @@ func (i *IDMappings) ToHost(pair IDPair) (IDPair, error) {
target := i.RootPair()

if pair.UID != target.UID {
target.UID, err = toHost(pair.UID, i.uids)
target.UID, err = RawToHost(pair.UID, i.uids)
if err != nil {
return target, err
}
}

if pair.GID != target.GID {
target.GID, err = toHost(pair.GID, i.gids)
target.GID, err = RawToHost(pair.GID, i.gids)
}
return target, err
}

// ToContainer returns the container UID and GID for the host uid and gid
func (i *IDMappings) ToContainer(pair IDPair) (int, int, error) {
uid, err := toContainer(pair.UID, i.uids)
uid, err := RawToContainer(pair.UID, i.uids)
if err != nil {
return -1, -1, err
}
gid, err := toContainer(pair.GID, i.gids)
gid, err := RawToContainer(pair.GID, i.gids)
return uid, gid, err
}

Expand Down

0 comments on commit 6e9b8ad

Please sign in to comment.