Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unshare: improve rootless detection #1312

Merged
merged 1 commit into from
Aug 26, 2022

Conversation

giuseppe
Copy link
Member

in addition to check the UID of the user that launched the command,
also check whether the process has CAP_SYS_ADMIN (in the same way as
podman/pkg/rootless does) and also check that the current user
namespace has all the IDs available.

Closes: #1311

After this change, podman/pkg/rootless can use the function directly
instead of defining another version with similar functionalities.

Signed-off-by: Giuseppe Scrivano [email protected]

}
}
if !isRootless {
hasMappings, err := hasFullUsersMappings()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would this indicate isRootless.

If I have a range of 0 0 1000000 won't the isRootless return true? Aren't I running as root in this case?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But we are using isRootless to mean "not in the initial user namespace". That is what the kernel does when checking what is allowed and what not. For example, we need to use user. xattrs for overlay whiteouts even if we are root in a user namespace

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think by now, we desperately need documentation. “IsRootless tells us if we are running in rootless mode” says nothing.

Describe in which situations that function returns true (possibly how can one get into such situations), and what does that means for application behavior. What should, or shouldn’t, they be doing differently?

It might well be the case that we need three or more different functions, IsNotInTheInitialUserNamespace, IsInsideAPodmanCreatedContainerNamespace, and so on.

Just vaguely saying “rootless” is apparently causing misunderstandings and unanticipated breakage.

@rhatdan
Copy link
Member

rhatdan commented Aug 25, 2022

// by looking up 4294967295 in /proc/self/uid_map. If the mappings would be
// copied as they are, the check in the OCI runtimes would fail. So just split
// it in two different ranges.
return bytes.Contains(content, []byte("4294967295")), nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment doesn't seem to describe what's happening before or after it, so I don't understand what's happening here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've fixed the comment and pushed a new version

in addition to check the UID of the user that launched the command,
also check whether the process has CAP_SYS_ADMIN (in the same way as
podman/pkg/rootless does) and also check that the current user
namespace has all the IDs available.

Closes: containers#1311

After this change, podman/pkg/rootless can use the function directly
instead of defining another version with similar functionalities.

Signed-off-by: Giuseppe Scrivano <[email protected]>
@giuseppe giuseppe force-pushed the improve-rootless-detection branch from 966eeb8 to 975fab1 Compare August 25, 2022 20:59
Copy link
Collaborator

@flouthoc flouthoc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rhatdan rhatdan merged commit 73109f5 into containers:main Aug 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Can't pull read only image to additionalimagestores as root
5 participants