incusd/isntance/lxc: Respect restrict.idmap.size on un-isolated conta…

…iners Closes #1305 Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
lxc · Oct 21, 2024 · 0ca8dd5 · 0ca8dd5
1 parent 320b8dc
commit 0ca8dd5
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/internal/server/instance/drivers/driver_lxc.go b/internal/server/instance/drivers/driver_lxc.go
@@ -479,9 +479,27 @@ func findIdmap(s *state.State, cName string, isolated bool, configBase string, c
 	}
 
 	if !isolated {
+		// Create a new set based from the global one.
 		newIdmapset := idmap.Set{Entries: make([]idmap.Entry, len(s.OS.IdmapSet.Entries))}
 		copy(newIdmapset.Entries, s.OS.IdmapSet.Entries)
 
+		// Restrict the range sizes if specified.
+		if configSize != "" {
+			size, err := idmapSize(s, isolated, configSize)
+			if err != nil {
+				return nil, 0, err
+			}
+
+			for k, ent := range newIdmapset.Entries {
+				if ent.MapRange < size {
+					continue
+				}
+
+				newIdmapset.Entries[k].MapRange = size
+			}
+		}
+
+		// Apply the raw idmap entries.
 		for _, ent := range rawMaps.Entries {
 			err := newIdmapset.AddSafe(ent)
 			if err != nil && err == idmap.ErrHostIDIsSubID {