libcontainer/configs/validate: improve rootlessEUIDMount

kolyshkin · kolyshkin · commit 746a5c23c949 · 2025-02-06T19:47:23.000-08:00
1. Avoid splitting mount data into []string if it does not contain
   options we're interested in. This should result in slightly less
   garbage to collect.

2. Use if / else if instead of continue, to make it clearer that
   we're processing one option at a time.

3. Print the whole option as a sting in an error message; practically
   this should not have any effect, it's just simpler.

4. Improve some comments.

Signed-off-by: Kir Kolyshkin &lt;kolyshkin@gmail.com&gt;
diff --git a/libcontainer/configs/validate/rootless.go b/libcontainer/configs/validate/rootless.go
@@ -52,9 +52,14 @@ func rootlessEUIDMount(config *configs.Config) error {
 	//      convinced that's a good idea. The kernel is the best arbiter of
 	//      access control.
 
+	// Check that the options list doesn't contain any uid= or gid= entries
+	// that don't resolve to root.
 	for _, mount := range config.Mounts {
-		// Check that the options list doesn't contain any uid= or gid= entries
-		// that don't resolve to root.
+		// Look for a common substring; skip further processing
+		// if there can't be any uid= or gid= options.
+		if !strings.Contains(mount.Data, "id=") {
+			continue
+		}
 		for _, opt := range strings.Split(mount.Data, ",") {
 			if str, ok := strings.CutPrefix(opt, "uid="); ok {
 				uid, err := strconv.Atoi(str)
@@ -63,18 +68,16 @@ func rootlessEUIDMount(config *configs.Config) error {
 					continue
 				}
 				if _, err := config.HostUID(uid); err != nil {
-					return fmt.Errorf("cannot specify uid=%d mount option for rootless container: %w", uid, err)
+					return fmt.Errorf("cannot specify %s mount option for rootless container: %w", opt, err)
 				}
-				continue
-			}
-			if str, ok := strings.CutPrefix(opt, "gid="); ok {
+			} else if str, ok := strings.CutPrefix(opt, "gid="); ok {
 				gid, err := strconv.Atoi(str)
 				if err != nil {
 					// Ignore unknown mount options.
 					continue
 				}
 				if _, err := config.HostGID(gid); err != nil {
-					return fmt.Errorf("cannot specify gid=%d mount option for rootless container: %w", gid, err)
+					return fmt.Errorf("cannot specify %s mount option for rootless container: %w", opt, err)
 				}
 			}
 		}
