[lxc-devel] [lxd/master] Don't assign idmaps to privileged containers

[stgraber on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161125/90076d1b/attachment.bin>
-------------- next part --------------
From 6cf8a19224de1cdfbbf672183bea193b3dc7c238 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Thu, 24 Nov 2016 19:54:04 -0500
Subject: [PATCH] Don't assign idmaps to privileged containers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/container_lxc.go | 55 ++++++++++++++++++++++++++++++++--------------------
 1 file changed, 34 insertions(+), 21 deletions(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 40f13a1..235ce36 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -233,16 +233,21 @@ func containerLXCCreate(d *Daemon, args containerArgs) (container, error) {
 	}
 
 	// Setup initial idmap config
-	idmap, base, err := findIdmap(
-		d,
-		args.Name,
-		c.expandedConfig["security.idmap.isolated"],
-		c.expandedConfig["security.idmap.size"],
-		c.expandedConfig["raw.idmap"],
-	)
-	if err != nil {
-		c.Delete()
-		return nil, err
+	var idmap *shared.IdmapSet
+	base := 0
+	if !c.IsPrivileged() {
+		idmap, base, err = findIdmap(
+			d,
+			args.Name,
+			c.expandedConfig["security.idmap.isolated"],
+			c.expandedConfig["security.idmap.size"],
+			c.expandedConfig["raw.idmap"],
+		)
+
+		if err != nil {
+			c.Delete()
+			return nil, err
+		}
 	}
 
 	var jsonIdmap string
@@ -565,6 +570,10 @@ func findIdmap(daemon *Daemon, cName string, isolatedStr string, configSize stri
 			return nil, 0, err
 		}
 
+		if container.IsPrivileged() {
+			continue
+		}
+
 		if !shared.IsTrue(container.ExpandedConfig()["security.idmap.isolated"]) {
 			continue
 		}
@@ -2903,17 +2912,21 @@ func (c *containerLXC) Update(args containerArgs, userRequested bool) error {
 		}
 	}
 
-	if shared.StringInSlice("security.idmap.isolated", changedConfig) || shared.StringInSlice("security.idmap.size", changedConfig) || shared.StringInSlice("raw.idmap", changedConfig) {
-		// update the idmap
-		idmap, base, err := findIdmap(
-			c.daemon,
-			c.Name(),
-			c.expandedConfig["security.idmap.isolated"],
-			c.expandedConfig["security.idmap.size"],
-			c.expandedConfig["raw.idmap"],
-		)
-		if err != nil {
-			return err
+	if shared.StringInSlice("security.idmap.isolated", changedConfig) || shared.StringInSlice("security.idmap.size", changedConfig) || shared.StringInSlice("raw.idmap", changedConfig) || shared.StringInSlice("security.privileged", changedConfig) {
+		var idmap *shared.IdmapSet
+		base := 0
+		if !c.IsPrivileged() {
+			// update the idmap
+			idmap, base, err = findIdmap(
+				c.daemon,
+				c.Name(),
+				c.expandedConfig["security.idmap.isolated"],
+				c.expandedConfig["security.idmap.size"],
+				c.expandedConfig["raw.idmap"],
+			)
+			if err != nil {
+				return err
+			}
 		}
 
 		var jsonIdmap string