From bf50b73b5ea4f4139cb239bd36bf7fa96c69904f Mon Sep 17 00:00:00 2001 From: Ma Shimiao Date: Tue, 23 Aug 2016 15:11:34 +0800 Subject: [PATCH] add namespace check for uid/gid mappings Signed-off-by: Ma Shimiao --- cmd/ocitools/validate.go | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/cmd/ocitools/validate.go b/cmd/ocitools/validate.go index 246979aab..6c37147a5 100644 --- a/cmd/ocitools/validate.go +++ b/cmd/ocitools/validate.go @@ -316,13 +316,7 @@ func checkLinux(spec rspec.Spec, rootfs string, hostCheck bool) (msgs []string) ipcExists := false mountExists := false netExists := false - - if len(spec.Linux.UIDMappings) > 5 { - msgs = append(msgs, "Only 5 UID mappings are allowed (linux kernel restriction).") - } - if len(spec.Linux.GIDMappings) > 5 { - msgs = append(msgs, "Only 5 GID mappings are allowed (linux kernel restriction).") - } + userExists := false for index := 0; index < len(spec.Linux.Namespaces); index++ { if !namespaceValid(spec.Linux.Namespaces[index]) { @@ -336,10 +330,20 @@ func checkLinux(spec rspec.Spec, rootfs string, hostCheck bool) (msgs []string) netExists = true } else if spec.Linux.Namespaces[index].Type == rspec.MountNamespace { mountExists = true + } else if spec.Linux.Namespaces[index].Type == rspec.UserNamespace { + userExists = true } } } + if (len(spec.Linux.UIDMappings) > 0 || len(spec.Linux.GIDMappings) > 0) && !userExists { + msgs = append(msgs, "UID/GID mappings requires a new User namespace to be specified as well") + } else if len(spec.Linux.UIDMappings) > 5 { + msgs = append(msgs, "Only 5 UID mappings are allowed (linux kernel restriction).") + } else if len(spec.Linux.GIDMappings) > 5 { + msgs = append(msgs, "Only 5 GID mappings are allowed (linux kernel restriction).") + } + for k := range spec.Linux.Sysctl { if strings.HasPrefix(k, "net.") && !netExists { msgs = append(msgs, fmt.Sprintf("Sysctl %v requires a new Network namespace to be specified as well", k))