[lxc-devel] [lxd/master] Allow identity mappings for unprivileged containers

jynnantonix on Github lxc-bot at linuxcontainers.org
Thu Jun 21 22:01:51 UTC 2018


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 3828 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180621/e758cbfb/attachment.bin>
-------------- next part --------------
From 596221c9748a38f0d75ef0349d6946691921e477 Mon Sep 17 00:00:00 2001
From: Chirantan Ekbote <chirantan at chromium.org>
Date: Thu, 21 Jun 2018 14:11:25 -0700
Subject: [PATCH] Allow identity mappings for unprivileged containers

Allow identity mapped uid/gid ranges in the raw.idmap config even if the
LXD_UNPRIVILEGED_ONLY environment variable is set.  Make sure that this
also prevents the root user in the parent namespace from being mapped
into the child namespace.

This is useful for mapping the uid of the user into the child namespace
so that they can still access files in their home directory.

Signed-off-by: Chirantan Ekbote <chirantan at chromium.org>
---
 lxd/container.go | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/lxd/container.go b/lxd/container.go
index 77dc2e267..90b0d7743 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -243,6 +243,25 @@ func containerValidDeviceConfigKey(t, k string) bool {
 	}
 }
 
+func validateRawIdmap(rawIdmap string) error {
+	rawMaps, err := parseRawIdmap(rawIdmap)
+	if err != nil {
+		return err
+	}
+
+	for _, ent := range rawMaps {
+		if ent.Hostid == 0 {
+			return fmt.Errorf("Cannot map root user into container as LXD was configured to only allow unprivileged containers")
+		}
+
+		if ent.Hostid != ent.Nsid {
+			return fmt.Errorf("Cannot create non-identity mapping for container as LXD was configured to only allow unprivileged containers")
+		}
+	}
+
+	return nil
+}
+
 func containerValidConfig(sysOS *sys.OS, config map[string]string, profile bool, expanded bool) error {
 	if config == nil {
 		return nil
@@ -284,7 +303,9 @@ func containerValidConfig(sysOS *sys.OS, config map[string]string, profile bool,
 	unprivOnly := os.Getenv("LXD_UNPRIVILEGED_ONLY")
 	if shared.IsTrue(unprivOnly) {
 		if config["raw.idmap"] != "" {
-			return fmt.Errorf("raw.idmap can't be set as LXD was configured to only allow unprivileged containers")
+			if err := validateRawIdmap(config["raw.idmap"]); err != nil {
+				return err
+			}
 		}
 
 		if shared.IsTrue(config["security.privileged"]) {


More information about the lxc-devel mailing list