cdi: use [r]idmap for bind mounts if user NS is in use.

When injecting bind mounts to a container with user namespaces,
add the idmap or ridmap option depending on whether we have a
bind or rbind mount. This should cause the mount to happen with
ID mapping set up for proper access.

Signed-off-by: Krisztian Litkey <[email protected]>

Author: klihub

pkg/cdi/container-edits.go

@@ -122,9 +122,24 @@ func (e *ContainerEdits) Apply(spec *oci.Spec) error {
 	}
 
 	if len(e.Mounts) > 0 {
+		var (
+			hasUserNamespace = specHasUserNamespace(spec)
+			isBind           bool
+			bindKind         string
+		)
 		for _, m := range e.Mounts {
+			mnt := &Mount{m}
+			if hasUserNamespace {
+				isBind, bindKind = mnt.isBindMount()
+			}
+
 			specgen.RemoveMount(m.ContainerPath)
-			specgen.AddMount((&Mount{m}).toOCI())
+
+			if !hasUserNamespace || !isBind {
+				specgen.AddMount(mnt.toOCI())
+			} else {
+				specgen.AddMount(mnt.toOCI(withMountIDMappingsFor(bindKind)))
+			}
 		}
 		sortMounts(&specgen)
 	}
@@ -398,6 +413,25 @@ func (m *Mount) Validate() error {
 	return nil
 }
 
+func (m *Mount) isBindMount() (bool, string) {
+	kind := ""
+	if m.Type == "bind" {
+		kind = "bind"
+	}
+	for _, o := range m.Options {
+		switch o {
+		case "bind":
+			if kind == "" {
+				kind = "bind"
+			}
+		case "rbind":
+			return true, "rbind"
+		}
+	}
+
+	return kind != "", kind
+}
+
 // IntelRdt is a CDI IntelRdt wrapper.
 // This is used for validation and conversion to OCI specifications.
 type IntelRdt struct {
@@ -465,3 +499,16 @@ func (m orderedMounts) Swap(i, j int) {
 func (m orderedMounts) parts(i int) int {
 	return strings.Count(filepath.Clean(m[i].Destination), string(os.PathSeparator))
 }
+
+// specHasUserNamespace returns true if the OCI Spec has a Linux UserNamespace.
+func specHasUserNamespace(spec *oci.Spec) bool {
+	if spec == nil || spec.Linux == nil {
+		return false
+	}
+	for _, ns := range spec.Linux.Namespaces {
+		if ns.Type == oci.UserNamespace {
+			return true
+		}
+	}
+	return false
+}

pkg/cdi/container-edits_test.go

@@ -800,6 +800,104 @@ func TestApplyContainerEdits(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "mount added to container with Linux user namespace and uid/gid mappings",
+			spec: &oci.Spec{
+				Linux: &oci.Linux{
+					UIDMappings: []oci.LinuxIDMapping{
+						{
+							ContainerID: 0,
+							HostID:      1000,
+							Size:        999,
+						},
+					},
+					GIDMappings: []oci.LinuxIDMapping{
+						{
+							ContainerID: 0,
+							HostID:      2000,
+							Size:        777,
+						},
+					},
+					Namespaces: []oci.LinuxNamespace{
+						{
+							Type: oci.UserNamespace,
+							Path: "/foo/bar",
+						},
+					},
+				},
+				Mounts: []oci.Mount{
+					{
+						Source:      "/some/host/path1",
+						Destination: "/dest/path/c",
+					},
+					{
+						Source:      "/some/host/path2",
+						Destination: "/dest/path/b",
+					},
+				},
+			},
+			edits: &cdi.ContainerEdits{
+				Mounts: []*cdi.Mount{
+					{
+						HostPath:      "/some/host/path3",
+						ContainerPath: "/dest/path/a",
+						Type:          "bind",
+					},
+					{
+						HostPath:      "/some/host/path4",
+						ContainerPath: "/dest/path/d",
+						Type:          "bind",
+						Options:       []string{"rbind"},
+					},
+				},
+			},
+			result: &oci.Spec{
+				Linux: &oci.Linux{
+					UIDMappings: []oci.LinuxIDMapping{
+						{
+							ContainerID: 0,
+							HostID:      1000,
+							Size:        999,
+						},
+					},
+					GIDMappings: []oci.LinuxIDMapping{
+						{
+							ContainerID: 0,
+							HostID:      2000,
+							Size:        777,
+						},
+					},
+					Namespaces: []oci.LinuxNamespace{
+						{
+							Type: oci.UserNamespace,
+							Path: "/foo/bar",
+						},
+					},
+				},
+				Mounts: []oci.Mount{
+					{
+						Source:      "/some/host/path1",
+						Destination: "/dest/path/c",
+					},
+					{
+						Source:      "/some/host/path2",
+						Destination: "/dest/path/b",
+					},
+					{
+						Source:      "/some/host/path3",
+						Destination: "/dest/path/a",
+						Type:        "bind",
+						Options:     []string{"idmap"},
+					},
+					{
+						Source:      "/some/host/path4",
+						Destination: "/dest/path/d",
+						Type:        "bind",
+						Options:     []string{"rbind", "ridmap"},
+					},
+				},
+			},
+		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			edits := ContainerEdits{tc.edits}

pkg/cdi/oci.go

@@ -30,14 +30,33 @@ func (h *Hook) toOCI() spec.Hook {
 	}
 }
 
+// Additional OCI mount option to apply to injected mounts.
+type ociMountOption func(*spec.Mount)
+
+// withMountIDMappingsFor adds the necessary ID mapping options for a bind mount.
+func withMountIDMappingsFor(kind string) ociMountOption {
+	return func(m *spec.Mount) {
+		switch kind {
+		case "rbind":
+			m.Options = append(m.Options, "ridmap")
+		case "bind":
+			m.Options = append(m.Options, "idmap")
+		}
+	}
+}
+
 // toOCI returns the opencontainers runtime Spec Mount for this Mount.
-func (m *Mount) toOCI() spec.Mount {
-	return spec.Mount{
+func (m *Mount) toOCI(options ...ociMountOption) spec.Mount {
+	om := spec.Mount{
 		Source:      m.HostPath,
 		Destination: m.ContainerPath,
 		Options:     m.Options,
 		Type:        m.Type,
 	}
+	for _, o := range options {
+		o(&om)
+	}
+	return om
 }
 
 // toOCI returns the opencontainers runtime Spec LinuxDevice for this DeviceNode.