Use /proc/self/uid_map to determine if rootless or not

When Podman starts a container in rootless, it first creates a user namespace and then starts the container as root in it. Therefore, determining rootless in youki with geteuid(2) is not sufficient. Youki should look at /proc/self/uid_map to determine if it is rootless, just like crun and runc. Signed-off-by: Manabu Ori <[email protected]>
youki-dev · Sep 4, 2022 · b567986 · b567986
1 parent 3a29e2d
commit b567986
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 9 deletions.
diff --git a/crates/libcgroups/src/common.rs b/crates/libcgroups/src/common.rs
@@ -216,6 +216,21 @@ fn create_v2_cgroup_manager(_cgroup_path: PathBuf) -> Result<Box<dyn CgroupManag
     bail!("cgroup v2 feature is required, but was not enabled during compile time");
 }
 
+pub fn rootless_required() -> bool {
+    if !nix::unistd::geteuid().is_root() {
+        return true;
+    }
+
+    let uid_map_path = "/proc/self/uid_map";
+    let content = fs::read_to_string(uid_map_path)
+        .unwrap_or_else(|_| panic!("failed to read {}", uid_map_path));
+    if !content.contains("4294967295") {
+        return true;
+    }
+
+    matches!(std::env::var("YOUKI_USE_ROOTLESS").as_deref(), Ok("true"))
+}
+
 #[cfg(feature = "systemd")]
 fn create_systemd_cgroup_manager(
     cgroup_path: PathBuf,
@@ -227,7 +242,7 @@ fn create_systemd_cgroup_manager(
         );
     }
 
-    let use_system = nix::unistd::geteuid().is_root();
+    let use_system = !rootless_required();
 
     log::info!(
         "systemd cgroup manager with system bus {} will be used",

diff --git a/crates/libcontainer/src/rootless.rs b/crates/libcontainer/src/rootless.rs
@@ -1,5 +1,6 @@
 use crate::{namespaces::Namespaces, utils};
 use anyhow::{bail, Context, Result};
+use libcgroups::common::rootless_required;
 use nix::unistd::Pid;
 use oci_spec::runtime::{Linux, LinuxIdMapping, LinuxNamespace, LinuxNamespaceType, Mount, Spec};
 use std::fs;
@@ -118,13 +119,6 @@ pub fn get_gid_path(pid: &Pid) -> PathBuf {
 }
 
 /// Checks if rootless mode should be used
-pub fn rootless_required() -> bool {
-    if !nix::unistd::geteuid().is_root() {
-        return true;
-    }
-
-    matches!(std::env::var("YOUKI_USE_ROOTLESS").as_deref(), Ok("true"))
-}
 
 pub fn unprivileged_user_ns_enabled() -> Result<bool> {
     let user_ns_sysctl = Path::new("/proc/sys/kernel/unprivileged_userns_clone");

diff --git a/crates/youki/src/main.rs b/crates/youki/src/main.rs
@@ -14,7 +14,7 @@ use std::fs;
 use std::path::{Path, PathBuf};
 
 use crate::commands::info;
-use libcontainer::rootless::rootless_required;
+use libcgroups::common::rootless_required;
 use libcontainer::utils::create_dir_all_with_mode;
 use nix::sys::stat::Mode;
 use nix::unistd::getuid;