From 0138440a0c8c090fcef0215aa085fc4e55533730 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Fri, 9 Sep 2022 17:21:42 +0200 Subject: [PATCH] Explain why a substring match is sufficient when reading uid_map MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit per https://github.com/containers/storage/pull/1312#discussion_r966242314 . Signed-off-by: Miloslav Trmač --- pkg/unshare/unshare_linux.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/unshare/unshare_linux.go b/pkg/unshare/unshare_linux.go index f29c93dba1..b7ad1e19eb 100644 --- a/pkg/unshare/unshare_linux.go +++ b/pkg/unshare/unshare_linux.go @@ -394,7 +394,9 @@ func hasFullUsersMappings() (bool, error) { if err != nil { return false, err } - // if the uid_map contains 4294967295, the entire IDs space is available in the + // The kernel rejects attempts to create mappings where either starting + // point is (u32)-1: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/user_namespace.c?id=af3e9579ecfb#n1006 . + // So, if the uid_map contains 4294967295, the entire IDs space is available in the // user namespace, so it is likely the initial user namespace. return bytes.Contains(content, []byte("4294967295")), nil }