github.com/containerd/Containerd@v1.4.13/runtime/v2/bundle_linux.go

github.com/containerd/Containerd@v1.4.13/runtime/v2/bundle_linux.go (about)

     1  /*
     2     Copyright The containerd Authors.
     3  
     4     Licensed under the Apache License, Version 2.0 (the "License");
     5     you may not use this file except in compliance with the License.
     6     You may obtain a copy of the License at
     7  
     8         http://www.apache.org/licenses/LICENSE-2.0
     9  
    10     Unless required by applicable law or agreed to in writing, software
    11     distributed under the License is distributed on an "AS IS" BASIS,
    12     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13     See the License for the specific language governing permissions and
    14     limitations under the License.
    15  */
    16  
    17  package v2
    18  
    19  import (
    20  	"encoding/json"
    21  	"os"
    22  
    23  	"github.com/opencontainers/runtime-spec/specs-go"
    24  )
    25  
    26  // prepareBundleDirectoryPermissions prepares the permissions of the bundle
    27  // directory according to the needs of the current platform.
    28  // On Linux when user namespaces are enabled, the permissions are modified to
    29  // allow the remapped root GID to access the bundle.
    30  func prepareBundleDirectoryPermissions(path string, spec []byte) error {
    31  	gid, err := remappedGID(spec)
    32  	if err != nil {
    33  		return err
    34  	}
    35  	if gid == 0 {
    36  		return nil
    37  	}
    38  	if err := os.Chown(path, -1, int(gid)); err != nil {
    39  		return err
    40  	}
    41  	return os.Chmod(path, 0710)
    42  }
    43  
    44  // ociSpecUserNS is a subset of specs.Spec used to reduce garbage during
    45  // unmarshal.
    46  type ociSpecUserNS struct {
    47  	Linux *linuxSpecUserNS
    48  }
    49  
    50  // linuxSpecUserNS is a subset of specs.Linux used to reduce garbage during
    51  // unmarshal.
    52  type linuxSpecUserNS struct {
    53  	GIDMappings []specs.LinuxIDMapping
    54  }
    55  
    56  // remappedGID reads the remapped GID 0 from the OCI spec, if it exists. If
    57  // there is no remapping, remappedGID returns 0. If the spec cannot be parsed,
    58  // remappedGID returns an error.
    59  func remappedGID(spec []byte) (uint32, error) {
    60  	var ociSpec ociSpecUserNS
    61  	err := json.Unmarshal(spec, &ociSpec)
    62  	if err != nil {
    63  		return 0, err
    64  	}
    65  	if ociSpec.Linux == nil || len(ociSpec.Linux.GIDMappings) == 0 {
    66  		return 0, nil
    67  	}
    68  	for _, mapping := range ociSpec.Linux.GIDMappings {
    69  		if mapping.ContainerID == 0 {
    70  			return mapping.HostID, nil
    71  		}
    72  	}
    73  	return 0, nil
    74  }