From 8119809b68bee9a027bae9d5851b11c743438bd6 Mon Sep 17 00:00:00 2001
From: Phil Estes <estesp@linux.vnet.ibm.com>
Date: Wed, 9 Nov 2016 16:52:38 +0100
Subject: [PATCH] Correct secrets permissions when userns enabled

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
---
 daemon/container_operations_unix.go | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
index 8fbc7bca6f..5e1da60414 100644
--- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go
@@ -163,11 +163,14 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 		}
 	}()
 
+	// retrieve possible remapped range start for root UID, GID
+	rootUID, rootGID := daemon.GetRemappedUIDGID()
 	// create tmpfs
-	if err := os.MkdirAll(localMountPath, 0700); err != nil {
+	if err := idtools.MkdirAllAs(localMountPath, 0700, rootUID, rootGID); err != nil {
 		return errors.Wrap(err, "error creating secret local mount path")
 	}
-	if err := mount.Mount("tmpfs", localMountPath, "tmpfs", "nodev,nosuid,noexec"); err != nil {
+	tmpfsOwnership := fmt.Sprintf("uid=%d,gid=%d", rootUID, rootGID)
+	if err := mount.Mount("tmpfs", localMountPath, "tmpfs", "nodev,nosuid,noexec,"+tmpfsOwnership); err != nil {
 		return errors.Wrap(err, "unable to setup secret mount")
 	}
 
@@ -179,7 +182,7 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 		}
 
 		fPath := filepath.Join(localMountPath, targetPath)
-		if err := os.MkdirAll(filepath.Dir(fPath), 0700); err != nil {
+		if err := idtools.MkdirAllAs(filepath.Dir(fPath), 0700, rootUID, rootGID); err != nil {
 			return errors.Wrap(err, "error creating secret mount path")
 		}
 
@@ -200,13 +203,13 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 			return err
 		}
 
-		if err := os.Chown(fPath, uid, gid); err != nil {
+		if err := os.Chown(fPath, rootUID+uid, rootGID+gid); err != nil {
 			return errors.Wrap(err, "error setting ownership for secret")
 		}
 	}
 
 	// remount secrets ro
-	if err := mount.Mount("tmpfs", localMountPath, "tmpfs", "remount,ro"); err != nil {
+	if err := mount.Mount("tmpfs", localMountPath, "tmpfs", "remount,ro,"+tmpfsOwnership); err != nil {
 		return errors.Wrap(err, "unable to remount secret dir as readonly")
 	}