Merge pull request #1529 from giuseppe/rootless-improvements

Support multiple users/groups mapped for the rootless case

Author: crosbymichael

Dockerfile

@@ -22,6 +22,7 @@ RUN apt-get update && apt-get install -y \
     protobuf-c-compiler \
     protobuf-compiler \
     python-minimal \
+    uidmap \
     --no-install-recommends \
     && apt-get clean
 

Makefile

@@ -77,11 +77,10 @@ localintegration: all
 	bats -t tests/integration${TESTFLAGS}
 
 rootlessintegration: runcimage
-	docker run -e TESTFLAGS -t --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) --cap-drop=ALL -u rootless $(RUNC_IMAGE) make localintegration
+	docker run -e TESTFLAGS -t --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) make localrootlessintegration
 
-# FIXME: This should not be separate from rootlessintegration's method of running.
 localrootlessintegration: all
-	sudo -u rootless -H PATH="${PATH}" bats -t tests/integration${TESTFLAGS}
+	tests/rootless.sh
 
 shell: all
 	docker run -e TESTFLAGS -ti --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) bash

libcontainer/configs/validate/rootless.go

@@ -36,37 +36,27 @@ func (v *ConfigValidator) rootless(config *configs.Config) error {
 	return nil
 }
 
-func rootlessMappings(config *configs.Config) error {
-	rootuid, err := config.HostRootUID()
-	if err != nil {
-		return fmt.Errorf("failed to get root uid from uidMappings: %v", err)
+func hasIDMapping(id int, mappings []configs.IDMap) bool {
+	for _, m := range mappings {
+		if id >= m.ContainerID && id < m.ContainerID+m.Size {
+			return true
+		}
 	}
+	return false
+}
+
+func rootlessMappings(config *configs.Config) error {
 	if euid := geteuid(); euid != 0 {
 		if !config.Namespaces.Contains(configs.NEWUSER) {
 			return fmt.Errorf("rootless containers require user namespaces")
 		}
-		if rootuid != euid {
-			return fmt.Errorf("rootless containers cannot map container root to a different host user")
-		}
 	}
 
-	rootgid, err := config.HostRootGID()
-	if err != nil {
-		return fmt.Errorf("failed to get root gid from gidMappings: %v", err)
+	if len(config.UidMappings) == 0 {
+		return fmt.Errorf("rootless containers requires at least one UID mapping")
 	}
-
-	// Similar to the above test, we need to make sure that we aren't trying to
-	// map to a group ID that we don't have the right to be.
-	if rootgid != getegid() {
-		return fmt.Errorf("rootless containers cannot map container root to a different host group")
-	}
-
-	// We can only map one user and group inside a container (our own).
-	if len(config.UidMappings) != 1 || config.UidMappings[0].Size != 1 {
-		return fmt.Errorf("rootless containers cannot map more than one user")
-	}
-	if len(config.GidMappings) != 1 || config.GidMappings[0].Size != 1 {
-		return fmt.Errorf("rootless containers cannot map more than one group")
+	if len(config.GidMappings) == 0 {
+		return fmt.Errorf("rootless containers requires at least one UID mapping")
 	}
 
 	return nil
@@ -104,11 +94,28 @@ func rootlessMount(config *configs.Config) error {
 		// Check that the options list doesn't contain any uid= or gid= entries
 		// that don't resolve to root.
 		for _, opt := range strings.Split(mount.Data, ",") {
-			if strings.HasPrefix(opt, "uid=") && opt != "uid=0" {
-				return fmt.Errorf("cannot specify uid= mount options in rootless containers where argument isn't 0")
+			if strings.HasPrefix(opt, "uid=") {
+				var uid int
+				n, err := fmt.Sscanf(opt, "uid=%d", &uid)
+				if n != 1 || err != nil {
+					// Ignore unknown mount options.
+					continue
+				}
+				if !hasIDMapping(uid, config.UidMappings) {
+					return fmt.Errorf("cannot specify uid= mount options for unmapped uid in rootless containers")
+				}
 			}
-			if strings.HasPrefix(opt, "gid=") && opt != "gid=0" {
-				return fmt.Errorf("cannot specify gid= mount options in rootless containers where argument isn't 0")
+
+			if strings.HasPrefix(opt, "gid=") {
+				var gid int
+				n, err := fmt.Sscanf(opt, "gid=%d", &gid)
+				if n != 1 || err != nil {
+					// Ignore unknown mount options.
+					continue
+				}
+				if !hasIDMapping(gid, config.GidMappings) {
+					return fmt.Errorf("cannot specify gid= mount options for unmapped gid in rootless containers")
+				}
 			}
 		}
 	}

libcontainer/configs/validate/rootless_test.go

@@ -66,28 +66,6 @@ func TestValidateRootlessMappingUid(t *testing.T) {
 	if err := validator.Validate(config); err == nil {
 		t.Errorf("Expected error to occur if no uid mappings provided")
 	}
-
-	config = rootlessConfig()
-	config.UidMappings[0].HostID = geteuid() + 1
-	if err := validator.Validate(config); err == nil {
-		t.Errorf("Expected error to occur if geteuid() != mapped uid")
-	}
-
-	config = rootlessConfig()
-	config.UidMappings[0].Size = 1024
-	if err := validator.Validate(config); err == nil {
-		t.Errorf("Expected error to occur if more than one uid mapped")
-	}
-
-	config = rootlessConfig()
-	config.UidMappings = append(config.UidMappings, configs.IDMap{
-		HostID:      geteuid() + 1,
-		ContainerID: 0,
-		Size:        1,
-	})
-	if err := validator.Validate(config); err == nil {
-		t.Errorf("Expected error to occur if more than one uid extent mapped")
-	}
 }
 
 func TestValidateRootlessMappingGid(t *testing.T) {
@@ -98,28 +76,6 @@ func TestValidateRootlessMappingGid(t *testing.T) {
 	if err := validator.Validate(config); err == nil {
 		t.Errorf("Expected error to occur if no gid mappings provided")
 	}
-
-	config = rootlessConfig()
-	config.GidMappings[0].HostID = getegid() + 1
-	if err := validator.Validate(config); err == nil {
-		t.Errorf("Expected error to occur if getegid() != mapped gid")
-	}
-
-	config = rootlessConfig()
-	config.GidMappings[0].Size = 1024
-	if err := validator.Validate(config); err == nil {
-		t.Errorf("Expected error to occur if more than one gid mapped")
-	}
-
-	config = rootlessConfig()
-	config.GidMappings = append(config.GidMappings, configs.IDMap{
-		HostID:      getegid() + 1,
-		ContainerID: 0,
-		Size:        1,
-	})
-	if err := validator.Validate(config); err == nil {
-		t.Errorf("Expected error to occur if more than one gid extent mapped")
-	}
 }
 
 /* rootlessMount() */
@@ -149,6 +105,18 @@ func TestValidateRootlessMountUid(t *testing.T) {
 	if err := validator.Validate(config); err != nil {
 		t.Errorf("Expected error to not occur when setting uid=0 in mount options: %+v", err)
 	}
+
+	config.Mounts[0].Data = "uid=2"
+	config.UidMappings[0].Size = 10
+	if err := validator.Validate(config); err != nil {
+		t.Errorf("Expected error to not occur when setting uid=2 in mount options and UidMapping[0].size is 10")
+	}
+
+	config.Mounts[0].Data = "uid=20"
+	config.UidMappings[0].Size = 10
+	if err := validator.Validate(config); err == nil {
+		t.Errorf("Expected error to occur when setting uid=20 in mount options and UidMapping[0].size is 10")
+	}
 }
 
 func TestValidateRootlessMountGid(t *testing.T) {
@@ -176,6 +144,18 @@ func TestValidateRootlessMountGid(t *testing.T) {
 	if err := validator.Validate(config); err != nil {
 		t.Errorf("Expected error to not occur when setting gid=0 in mount options: %+v", err)
 	}
+
+	config.Mounts[0].Data = "gid=5"
+	config.GidMappings[0].Size = 10
+	if err := validator.Validate(config); err != nil {
+		t.Errorf("Expected error to not occur when setting gid=5 in mount options and GidMapping[0].size is 10")
+	}
+
+	config.Mounts[0].Data = "gid=11"
+	config.GidMappings[0].Size = 10
+	if err := validator.Validate(config); err == nil {
+		t.Errorf("Expected error to occur when setting gid=11 in mount options and GidMapping[0].size is 10")
+	}
 }
 
 /* rootlessCgroup() */

libcontainer/container_linux.go

@@ -44,6 +44,8 @@ type linuxContainer struct {
 	initProcess          parentProcess
 	initProcessStartTime uint64
 	criuPath             string
+	newuidmapPath        string
+	newgidmapPath        string
 	m                    sync.Mutex
 	criuVersion          int
 	state                containerState
@@ -1707,6 +1709,12 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na
 	if !joinExistingUser {
 		// write uid mappings
 		if len(c.config.UidMappings) > 0 {
+			if c.config.Rootless && c.newuidmapPath != "" {
+				r.AddData(&Bytemsg{
+					Type:  UidmapPathAttr,
+					Value: []byte(c.newuidmapPath),
+				})
+			}
 			b, err := encodeIDMapping(c.config.UidMappings)
 			if err != nil {
 				return nil, err
@@ -1727,6 +1735,12 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na
 				Type:  GidmapAttr,
 				Value: b,
 			})
+			if c.config.Rootless && c.newgidmapPath != "" {
+				r.AddData(&Bytemsg{
+					Type:  GidmapPathAttr,
+					Value: []byte(c.newgidmapPath),
+				})
+			}
 			// The following only applies if we are root.
 			if !c.config.Rootless {
 				// check if we have CAP_SETGID to setgroup properly

libcontainer/factory_linux.go

@@ -140,6 +140,9 @@ func New(root string, options ...func(*LinuxFactory) error) (Factory, error) {
 	}
 	Cgroupfs(l)
 	for _, opt := range options {
+		if opt == nil {
+			continue
+		}
 		if err := opt(l); err != nil {
 			return nil, err
 		}
@@ -160,6 +163,11 @@ type LinuxFactory struct {
 	// containers.
 	CriuPath string
 
+	// New{u,g}uidmapPath is the path to the binaries used for mapping with
+	// rootless containers.
+	NewuidmapPath string
+	NewgidmapPath string
+
 	// Validator provides validation to container configurations.
 	Validator validate.Validator
 
@@ -201,6 +209,8 @@ func (l *LinuxFactory) Create(id string, config *configs.Config) (Container, err
 		config:        config,
 		initArgs:      l.InitArgs,
 		criuPath:      l.CriuPath,
+		newuidmapPath: l.NewuidmapPath,
+		newgidmapPath: l.NewgidmapPath,
 		cgroupManager: l.NewCgroupsManager(config.Cgroups, nil),
 	}
 	c.intelRdtManager = nil
@@ -236,6 +246,8 @@ func (l *LinuxFactory) Load(id string) (Container, error) {
 		config:               &state.Config,
 		initArgs:             l.InitArgs,
 		criuPath:             l.CriuPath,
+		newuidmapPath:        l.NewuidmapPath,
+		newgidmapPath:        l.NewgidmapPath,
 		cgroupManager:        l.NewCgroupsManager(state.Config.Cgroups, state.CgroupPaths),
 		root:                 containerRoot,
 		created:              state.Created,
@@ -349,3 +361,21 @@ func (l *LinuxFactory) validateID(id string) error {
 
 	return nil
 }
+
+// NewuidmapPath returns an option func to configure a LinuxFactory with the
+// provided ..
+func NewuidmapPath(newuidmapPath string) func(*LinuxFactory) error {
+	return func(l *LinuxFactory) error {
+		l.NewuidmapPath = newuidmapPath
+		return nil
+	}
+}
+
+// NewgidmapPath returns an option func to configure a LinuxFactory with the
+// provided ..
+func NewgidmapPath(newgidmapPath string) func(*LinuxFactory) error {
+	return func(l *LinuxFactory) error {
+		l.NewgidmapPath = newgidmapPath
+		return nil
+	}
+}

libcontainer/init_linux.go

@@ -261,25 +261,27 @@ func setupUser(config *initConfig) error {
 		}
 	}
 
-	if config.Rootless {
-		if execUser.Uid != 0 {
-			return fmt.Errorf("cannot run as a non-root user in a rootless container")
-		}
-
-		if execUser.Gid != 0 {
-			return fmt.Errorf("cannot run as a non-root group in a rootless container")
-		}
+	// Rather than just erroring out later in setuid(2) and setgid(2), check
+	// that the user is mapped here.
+	if _, err := config.Config.HostUID(int(execUser.Uid)); err != nil {
+		return fmt.Errorf("cannot set uid to unmapped user in user namespace")
+	}
+	if _, err := config.Config.HostGID(int(execUser.Gid)); err != nil {
+		return fmt.Errorf("cannot set gid to unmapped user in user namespace")
+	}
 
-		// We cannot set any additional groups in a rootless container and thus we
-		// bail if the user asked us to do so. TODO: We currently can't do this
-		// earlier, but if libcontainer.Process.User was typesafe this might work.
+	if config.Rootless {
+		// We cannot set any additional groups in a rootless container and thus
+		// we bail if the user asked us to do so. TODO: We currently can't do
+		// this check earlier, but if libcontainer.Process.User was typesafe
+		// this might work.
 		if len(addGroups) > 0 {
 			return fmt.Errorf("cannot set any additional groups in a rootless container")
 		}
 	}
 
-	// before we change to the container's user make sure that the processes STDIO
-	// is correctly owned by the user that we are switching to.
+	// Before we change to the container's user make sure that the processes
+	// STDIO is correctly owned by the user that we are switching to.
 	if err := fixStdioPermissions(config, execUser); err != nil {
 		return err
 	}
@@ -298,7 +300,6 @@ func setupUser(config *initConfig) error {
 	if err := system.Setgid(execUser.Gid); err != nil {
 		return err
 	}
-
 	if err := system.Setuid(execUser.Uid); err != nil {
 		return err
 	}

libcontainer/message_linux.go

@@ -18,6 +18,8 @@ const (
 	SetgroupAttr    uint16 = 27285
 	OomScoreAdjAttr uint16 = 27286
 	RootlessAttr    uint16 = 27287
+	UidmapPathAttr  uint16 = 27288
+	GidmapPathAttr  uint16 = 27289
 )
 
 type Int32msg struct {