Prohibit --uid/gid map and --pod for container create/run

add a check in namespaceOptions() that ensures the user is not setting a new uid/gid map if entering or creating a pod that has an infra container resolves containers#12669 Signed-off-by: cdoern <cdoern@redhat.com>
cdoern · Jan 13, 2022 · 6996830 · 6996830
1 parent e98058a
commit 6996830
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 2 deletions.
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
@@ -365,6 +365,8 @@ GID map for the user namespace. Using this flag will run the container with user
 
 The following example maps uids 0-2000 in the container to the uids 30000-31999 on the host and gids 0-2000 in the container to the gids 30000-31999 on the host. `--gidmap=0:30000:2000`
 
+Note: the **--gidmap** flag cannot be called in conjunction with the **--pod** flag as a gidmap cannot be set on the container level when in a pod.
+
 #### **--group-add**=*group|keep-groups*
 
 Add additional groups to assign to primary user running within the container process.
@@ -1166,6 +1168,7 @@ Even if a user does not have any subordinate UIDs in  _/etc/subuid_,
 **--uidmap** could still be used to map the normal UID of the user to a
 container UID by running `podman create --uidmap $container_uid:0:1 --user $container_uid ...`.
 
+Note: the **--uidmap** flag cannot be called in conjunction with the **--pod** flag as a uidmap cannot be set on the container level when in a pod.
 
 #### **--ulimit**=*option*
 

diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
@@ -407,6 +407,8 @@ Meaning **groupname** is initially mapped to gid **100000** which is referenced
 above: The group **groupname** is mapped to group **100000** of the initial namespace then the
 **30000**st id of this namespace (which is gid 130000 in this namespace) is mapped to container namespace group id **0**. (groupname -> 100000 / 30000 -> 0)
 
+Note: the **--gidmap** flag cannot be called in conjunction with the **--pod** flag as a gidmap cannot be set on the container level when in a pod.
+
 #### **--group-add**=*group|keep-groups*
 
 Add additional groups to assign to primary user running within the container process.
@@ -1241,6 +1243,8 @@ Even if a user does not have any subordinate UIDs in  _/etc/subuid_,
 **--uidmap** could still be used to map the normal UID of the user to a
 container UID by running `podman run --uidmap $container_uid:0:1 --user $container_uid ...`.
 
+Note: the **--uidmap** flag cannot be called in conjunction with the **--pod** flag as a uidmap cannot be set on the container level when in a pod.
+
 #### **--ulimit**=*option*
 
 Ulimit options. You can use **host** to copy the current configuration from the host.

diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go
@@ -193,8 +193,14 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.
 	// This wipes the UserNS settings that get set from the infra container
 	// when we are inheritting from the pod. So only apply this if the container
 	// is not being created in a pod.
-	if s.IDMappings != nil && pod == nil {
-		toReturn = append(toReturn, libpod.WithIDMappings(*s.IDMappings))
+	if s.IDMappings != nil {
+		if pod == nil {
+			toReturn = append(toReturn, libpod.WithIDMappings(*s.IDMappings))
+		} else {
+			if pod.HasInfraContainer() && (len(s.IDMappings.UIDMap) > 0 || len(s.IDMappings.GIDMap) > 0) {
+				return nil, errors.Wrapf(define.ErrInvalidArg, "cannot specify a new uid/gid map when entering a pod with an infra container")
+			}
+		}
 	}
 	if s.User != "" {
 		toReturn = append(toReturn, libpod.WithUser(s.User))

diff --git a/test/e2e/create_test.go b/test/e2e/create_test.go
@@ -693,4 +693,17 @@ var _ = Describe("Podman create", func() {
 		Expect(idata[0].Os).To(Equal(runtime.GOOS))
 		Expect(idata[0].Architecture).To(Equal("arm64"))
 	})
+
+	It("podman create --uid/gidmap --pod conflict test", func() {
+		create := podmanTest.Podman([]string{"create", "--uidmap", "0:1000:1000", "--pod", "new:testing123", ALPINE})
+		create.WaitWithDefaultTimeout()
+		Expect(create).ShouldNot(Exit(0))
+		Expect(create.ErrorToString()).To(ContainSubstring("cannot specify a new uid/gid map when entering a pod with an infra container"))
+
+		create = podmanTest.Podman([]string{"create", "--gidmap", "0:1000:1000", "--pod", "new:testing1234", ALPINE})
+		create.WaitWithDefaultTimeout()
+		Expect(create).ShouldNot(Exit(0))
+		Expect(create.ErrorToString()).To(ContainSubstring("cannot specify a new uid/gid map when entering a pod with an infra container"))
+
+	})
 })