cdi: inject mount UID/GID mappings if user NS is in use.

klihub · klihub · commit 7d8ac63e4645 · 2025-10-18T10:13:59.000+03:00
When injecting mounts to a container with user namespaces in use,
inject the mounts with UID and GID mappings taken from the OCI
Spec.

Signed-off-by: Krisztian Litkey &lt;krisztian.litkey@intel.com&gt;
diff --git a/pkg/cdi/container-edits.go b/pkg/cdi/container-edits.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"slices"
 	"sort"
 	"strings"
 
@@ -114,9 +115,18 @@ func (e *ContainerEdits) Apply(spec *oci.Spec) error {
 	}
 
 	if len(e.Mounts) > 0 {
+		var (
+			uids []oci.LinuxIDMapping
+			gids []oci.LinuxIDMapping
+		)
+
+		if specHasUserNamespace(spec) {
+			uids = slices.Clone(spec.Linux.UIDMappings)
+			gids = slices.Clone(spec.Linux.GIDMappings)
+		}
 		for _, m := range e.Mounts {
 			specgen.RemoveMount(m.ContainerPath)
-			specgen.AddMount((&Mount{m}).toOCI())
+			specgen.AddMount((&Mount{m}).toOCI(withMountIDMappings(uids, gids)))
 		}
 		sortMounts(&specgen)
 	}
@@ -387,3 +397,16 @@ func (m orderedMounts) Swap(i, j int) {
 func (m orderedMounts) parts(i int) int {
 	return strings.Count(filepath.Clean(m[i].Destination), string(os.PathSeparator))
 }
+
+// specHasUserNamespace returns true ifthe OCI Spec has a Linux UserNamespace.
+func specHasUserNamespace(spec *oci.Spec) bool {
+	if spec == nil || spec.Linux == nil {
+		return false
+	}
+	for _, ns := range spec.Linux.Namespaces {
+		if ns.Type == oci.UserNamespace {
+			return true
+		}
+	}
+	return false
+}
diff --git a/pkg/cdi/oci.go b/pkg/cdi/oci.go
@@ -30,14 +30,33 @@ func (h *Hook) toOCI() spec.Hook {
 	}
 }
 
+// Extra OCI mount option to apply to injected mounts.
+type extraOCIMountOption func(*spec.Mount)
+
+// withMountIDMappings adds UID and GID mappings for the given mount.
+func withMountIDMappings(uid, gid []spec.LinuxIDMapping) extraOCIMountOption {
+	return func(m *spec.Mount) {
+		if uid != nil {
+			m.UIDMappings = uid
+		}
+		if gid != nil {
+			m.GIDMappings = gid
+		}
+	}
+}
+
 // toOCI returns the opencontainers runtime Spec Mount for this Mount.
-func (m *Mount) toOCI() spec.Mount {
-	return spec.Mount{
+func (m *Mount) toOCI(options ...extraOCIMountOption) spec.Mount {
+	om := spec.Mount{
 		Source:      m.HostPath,
 		Destination: m.ContainerPath,
 		Options:     m.Options,
 		Type:        m.Type,
 	}
+	for _, o := range options {
+		o(&om)
+	}
+	return om
 }
 
 // toOCI returns the opencontainers runtime Spec LinuxDevice for this DeviceNode.
