Merge pull request #25244 from giuseppe/mount-fix-segfault

images: fix segfault when mounting without cap_sys_admin
containers · Feb 7, 2025 · 24b686e · 24b686e
2 parents 708b349 + 2f71072
commit 24b686e
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 17 deletions.
diff --git a/pkg/domain/infra/abi/containers.go b/pkg/domain/infra/abi/containers.go
@@ -35,6 +35,7 @@ import (
 	"github.com/containers/podman/v5/pkg/specgenutil"
 	"github.com/containers/podman/v5/pkg/util"
 	"github.com/containers/storage"
+	"github.com/containers/storage/pkg/unshare"
 	"github.com/containers/storage/types"
 	"github.com/hashicorp/go-multierror"
 	"github.com/sirupsen/logrus"
@@ -1361,7 +1362,11 @@ func (ic *ContainerEngine) ContainerInit(ctx context.Context, namesOrIds []strin
 }
 
 func (ic *ContainerEngine) ContainerMount(ctx context.Context, nameOrIDs []string, options entities.ContainerMountOptions) ([]*entities.ContainerMountReport, error) {
-	if os.Geteuid() != 0 {
+	hasCapSysAdmin, err := unshare.HasCapSysAdmin()
+	if err != nil {
+		return nil, err
+	}
+	if os.Geteuid() != 0 || !hasCapSysAdmin {
 		if driver := ic.Libpod.StorageConfig().GraphDriverName; driver != "vfs" {
 			// Do not allow to mount a graphdriver that is not vfs if we are creating the userns as part
 			// of the mount command.

diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go
@@ -38,6 +38,7 @@ import (
 	"github.com/containers/podman/v5/pkg/errorhandling"
 	"github.com/containers/podman/v5/pkg/rootless"
 	"github.com/containers/storage"
+	"github.com/containers/storage/pkg/unshare"
 	"github.com/containers/storage/types"
 	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
@@ -157,6 +158,28 @@ func (ir *ImageEngine) Mount(ctx context.Context, nameOrIDs []string, opts entit
 	listMountsOnly := false
 	var images []*libimage.Image
 	var err error
+
+	hasCapSysAdmin, err := unshare.HasCapSysAdmin()
+	if err != nil {
+		return nil, err
+	}
+
+	if os.Geteuid() != 0 || !hasCapSysAdmin {
+		if driver := ir.Libpod.StorageConfig().GraphDriverName; driver != "vfs" {
+			// Do not allow to mount a graphdriver that is not vfs if we are creating the userns as part
+			// of the mount command.
+			return nil, fmt.Errorf("cannot mount using driver %s in rootless mode", driver)
+		}
+
+		became, ret, err := rootless.BecomeRootInUserNS("")
+		if err != nil {
+			return nil, err
+		}
+		if became {
+			os.Exit(ret)
+		}
+	}
+
 	switch {
 	case opts.All && len(nameOrIDs) > 0:
 		return nil, errors.New("cannot mix --all with images")
@@ -178,22 +201,6 @@ func (ir *ImageEngine) Mount(ctx context.Context, nameOrIDs []string, opts entit
 		}
 	}
 
-	if os.Geteuid() != 0 {
-		if driver := ir.Libpod.StorageConfig().GraphDriverName; driver != "vfs" {
-			// Do not allow to mount a graphdriver that is not vfs if we are creating the userns as part
-			// of the mount command.
-			return nil, fmt.Errorf("cannot mount using driver %s in rootless mode", driver)
-		}
-
-		became, ret, err := rootless.BecomeRootInUserNS("")
-		if err != nil {
-			return nil, err
-		}
-		if became {
-			os.Exit(ret)
-		}
-	}
-
 	mountReports := []*entities.ImageMountReport{}
 	for _, i := range images {
 		var mountPoint string