[lxc-devel] [lxd/master] Bugfixes
stgraber on Github
lxc-bot at linuxcontainers.org
Mon Mar 6 23:32:48 UTC 2017
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170306/62844ccd/attachment.bin>
-------------- next part --------------
From 8abb1b3a40aa90f6b2be02cab51e3475dc625f50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 6 Mar 2017 18:31:23 -0500
Subject: [PATCH] shared/idmap: Fix various issues
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- Restore our old default map for when no shadow is found
- Fix the logic that determines whether a map is valid or not to work
with hybrid maps (entries that are listed with Isuid and Isgid both true).
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
shared/idmapset_linux.go | 55 +++++++++++++++++++++++++++++++++++++-----------
1 file changed, 43 insertions(+), 12 deletions(-)
diff --git a/shared/idmapset_linux.go b/shared/idmapset_linux.go
index 85e991f..7a8648a 100644
--- a/shared/idmapset_linux.go
+++ b/shared/idmapset_linux.go
@@ -7,6 +7,7 @@ import (
"os/exec"
"path"
"path/filepath"
+ "reflect"
"sort"
"strconv"
"strings"
@@ -106,24 +107,42 @@ func (e *IdmapEntry) Usable() error {
return err
}
- valid := false
- for _, kernelRange := range kernelRanges {
- if kernelRange.Isuid != e.Isuid {
- continue
- }
+ // Validate the uid map
+ if e.Isuid {
+ valid := false
+ for _, kernelRange := range kernelRanges {
+ if !kernelRange.Isuid {
+ continue
+ }
- if kernelRange.Isgid != e.Isgid {
- continue
+ if kernelRange.Contains(e.Hostid) && kernelRange.Contains(e.Hostid+e.Maprange-1) {
+ valid = true
+ break
+ }
}
- if kernelRange.Contains(e.Hostid) && kernelRange.Contains(e.Hostid+e.Maprange-1) {
- valid = true
- break
+ if !valid {
+ return fmt.Errorf("The '%s' map can't work in the current user namespace.", e.ToLxcString())
}
}
- if !valid {
- return fmt.Errorf("The '%s' map can't work in the current user namespace.", e.ToLxcString())
+ // Validate the gid map
+ if e.Isgid {
+ valid := false
+ for _, kernelRange := range kernelRanges {
+ if !kernelRange.Isgid {
+ continue
+ }
+
+ if kernelRange.Contains(e.Hostid) && kernelRange.Contains(e.Hostid+e.Maprange-1) {
+ valid = true
+ break
+ }
+ }
+
+ if !valid {
+ return fmt.Errorf("The '%s' map can't work in the current user namespace.", e.ToLxcString())
+ }
}
return nil
@@ -683,6 +702,18 @@ func DefaultIdmapSet() (*IdmapSet, error) {
return nil, err
}
+ // Special case for when we have the full kernel range
+ fullKernelRanges := []*IdRange{
+ {true, false, int64(0), int64(4294967294)},
+ {false, true, int64(0), int64(4294967294)}}
+
+ if reflect.DeepEqual(kernelRanges, fullKernelRanges) {
+ // Hardcoded fallback map
+ e := IdmapEntry{Isuid: true, Isgid: true, Nsid: 0, Hostid: 1000000, Maprange: 1000000000}
+ idmapset.Idmap = Extend(idmapset.Idmap, e)
+ return idmapset, nil
+ }
+
// Find a suitable uid range
for _, entry := range kernelRanges {
// We only care about uids right now
More information about the lxc-devel
mailing list