[lxc-devel] [lxc/master] conf: only use newuidmap and newgidmap when necessary

3XX0 on Github lxc-bot at linuxcontainers.org
Sat Jun 9 00:29:24 UTC 2018 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 1963 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180609/62a34a1e/attachment.bin>
-------------- next part --------------
From c724025c5086519065420348288922a6469865fb Mon Sep 17 00:00:00 2001
From: Jonathan Calmels <jcalmels at nvidia.com>
Date: Fri, 8 Jun 2018 16:58:11 -0700
Subject: [PATCH] conf: only use newuidmap and newgidmap when necessary

Signed-off-by: Jonathan Calmels <jcalmels at nvidia.com>
---
 src/lxc/conf.c | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index b2872c995..c5586b33c 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2845,6 +2845,10 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
 	int ret = 0, gidmap = 0, uidmap = 0;
 	char mapbuf[9 + 1 + LXC_NUMSTRLEN64 + 1 + LXC_IDMAPLEN] = {0};
 	bool had_entry = false, use_shadow = false;
+	int hostuid, hostgid;
+
+	hostuid = geteuid();
+	hostgid = getegid();
 
 	/* If new{g,u}idmap exists, that is, if shadow is handing out subuid
 	 * ranges, then insist that root also reserve ranges in subuid. This
@@ -2873,7 +2877,25 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
 		 * doing so by requiring geteuid() == 0.
 		 */
 		DEBUG("No newuidmap and newgidmap binary found. Trying to "
-		      "write directly with euid %d", geteuid());
+		      "write directly with euid %d", hostuid);
+	}
+
+	/* Check if we really need to use newuidmap and newgidmap.
+	* If the user is only remapping his own {g,u}id, we don't need it.
+	*/
+	if (use_shadow && lxc_list_len(idmap) == 2) {
+		use_shadow = false;
+		lxc_list_for_each(iterator, idmap) {
+			map = iterator->elem;
+			if (map->idtype == ID_TYPE_UID && map->range == 1 &&
+			    map->nsid == hostuid && map->hostid == hostuid)
+				continue;
+			if (map->idtype == ID_TYPE_GID && map->range == 1 &&
+			    map->nsid == hostgid && map->hostid == hostgid)
+				continue;
+			use_shadow = true;
+			break;
+		}
 	}
 
 	for (type = ID_TYPE_UID, u_or_g = 'u'; type <= ID_TYPE_GID;

More information about the lxc-devel mailing list