[lxc-devel] [lxd/master] Don't assign idmaps to privileged containers
stgraber on Github
lxc-bot at linuxcontainers.org
Fri Nov 25 00:54:43 UTC 2016
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161125/90076d1b/attachment.bin>
-------------- next part --------------
From 6cf8a19224de1cdfbbf672183bea193b3dc7c238 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Thu, 24 Nov 2016 19:54:04 -0500
Subject: [PATCH] Don't assign idmaps to privileged containers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/container_lxc.go | 55 ++++++++++++++++++++++++++++++++--------------------
1 file changed, 34 insertions(+), 21 deletions(-)
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 40f13a1..235ce36 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -233,16 +233,21 @@ func containerLXCCreate(d *Daemon, args containerArgs) (container, error) {
}
// Setup initial idmap config
- idmap, base, err := findIdmap(
- d,
- args.Name,
- c.expandedConfig["security.idmap.isolated"],
- c.expandedConfig["security.idmap.size"],
- c.expandedConfig["raw.idmap"],
- )
- if err != nil {
- c.Delete()
- return nil, err
+ var idmap *shared.IdmapSet
+ base := 0
+ if !c.IsPrivileged() {
+ idmap, base, err = findIdmap(
+ d,
+ args.Name,
+ c.expandedConfig["security.idmap.isolated"],
+ c.expandedConfig["security.idmap.size"],
+ c.expandedConfig["raw.idmap"],
+ )
+
+ if err != nil {
+ c.Delete()
+ return nil, err
+ }
}
var jsonIdmap string
@@ -565,6 +570,10 @@ func findIdmap(daemon *Daemon, cName string, isolatedStr string, configSize stri
return nil, 0, err
}
+ if container.IsPrivileged() {
+ continue
+ }
+
if !shared.IsTrue(container.ExpandedConfig()["security.idmap.isolated"]) {
continue
}
@@ -2903,17 +2912,21 @@ func (c *containerLXC) Update(args containerArgs, userRequested bool) error {
}
}
- if shared.StringInSlice("security.idmap.isolated", changedConfig) || shared.StringInSlice("security.idmap.size", changedConfig) || shared.StringInSlice("raw.idmap", changedConfig) {
- // update the idmap
- idmap, base, err := findIdmap(
- c.daemon,
- c.Name(),
- c.expandedConfig["security.idmap.isolated"],
- c.expandedConfig["security.idmap.size"],
- c.expandedConfig["raw.idmap"],
- )
- if err != nil {
- return err
+ if shared.StringInSlice("security.idmap.isolated", changedConfig) || shared.StringInSlice("security.idmap.size", changedConfig) || shared.StringInSlice("raw.idmap", changedConfig) || shared.StringInSlice("security.privileged", changedConfig) {
+ var idmap *shared.IdmapSet
+ base := 0
+ if !c.IsPrivileged() {
+ // update the idmap
+ idmap, base, err = findIdmap(
+ c.daemon,
+ c.Name(),
+ c.expandedConfig["security.idmap.isolated"],
+ c.expandedConfig["security.idmap.size"],
+ c.expandedConfig["raw.idmap"],
+ )
+ if err != nil {
+ return err
+ }
}
var jsonIdmap string
More information about the lxc-devel
mailing list