add namespace check for uid/gid mappings

Signed-off-by: Ma Shimiao <[email protected]>
wking · Aug 24, 2016 · bf50b73 · bf50b73
1 parent ebda26c
commit bf50b73
Showing 1 changed file with 11 additions and 7 deletions.
diff --git a/cmd/ocitools/validate.go b/cmd/ocitools/validate.go
@@ -316,13 +316,7 @@ func checkLinux(spec rspec.Spec, rootfs string, hostCheck bool) (msgs []string)
 	ipcExists := false
 	mountExists := false
 	netExists := false
-
-	if len(spec.Linux.UIDMappings) > 5 {
-		msgs = append(msgs, "Only 5 UID mappings are allowed (linux kernel restriction).")
-	}
-	if len(spec.Linux.GIDMappings) > 5 {
-		msgs = append(msgs, "Only 5 GID mappings are allowed (linux kernel restriction).")
-	}
+	userExists := false
 
 	for index := 0; index < len(spec.Linux.Namespaces); index++ {
 		if !namespaceValid(spec.Linux.Namespaces[index]) {
@@ -336,10 +330,20 @@ func checkLinux(spec rspec.Spec, rootfs string, hostCheck bool) (msgs []string)
 				netExists = true
 			} else if spec.Linux.Namespaces[index].Type == rspec.MountNamespace {
 				mountExists = true
+			} else if spec.Linux.Namespaces[index].Type == rspec.UserNamespace {
+				userExists = true
 			}
 		}
 	}
 
+	if (len(spec.Linux.UIDMappings) > 0 || len(spec.Linux.GIDMappings) > 0) && !userExists {
+		msgs = append(msgs, "UID/GID mappings requires a new User namespace to be specified as well")
+	} else if len(spec.Linux.UIDMappings) > 5 {
+		msgs = append(msgs, "Only 5 UID mappings are allowed (linux kernel restriction).")
+	} else if len(spec.Linux.GIDMappings) > 5 {
+		msgs = append(msgs, "Only 5 GID mappings are allowed (linux kernel restriction).")
+	}
+
 	for k := range spec.Linux.Sysctl {
 		if strings.HasPrefix(k, "net.") && !netExists {
 			msgs = append(msgs, fmt.Sprintf("Sysctl %v requires a new Network namespace to be specified as well", k))