From 347423a114982700af57f13dde7dd83b35b30b23 Mon Sep 17 00:00:00 2001 From: Mike Baynton Date: Thu, 17 Oct 2024 15:36:15 -0500 Subject: [PATCH] Request 'allow' setgroups when spawning new userns Signed-off-by: Mike Baynton --- pkg/sys/unshare_linux.go | 9 +++++---- pkg/sys/unshare_linux_test.go | 4 ++++ 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/pkg/sys/unshare_linux.go b/pkg/sys/unshare_linux.go index e8774a21c..31f36323a 100644 --- a/pkg/sys/unshare_linux.go +++ b/pkg/sys/unshare_linux.go @@ -49,10 +49,11 @@ func UnshareAfterEnterUserns(uidMap, gidMap string, unshareFlags uintptr, f func proc, err := os.StartProcess("/proc/self/exe", []string{"UnshareAfterEnterUserns"}, &os.ProcAttr{ Sys: &syscall.SysProcAttr{ // clone new user namespace first and then unshare - Cloneflags: unix.CLONE_NEWUSER, - Unshareflags: unshareFlags, - UidMappings: uidMaps, - GidMappings: gidMaps, + Cloneflags: unix.CLONE_NEWUSER, + Unshareflags: unshareFlags, + UidMappings: uidMaps, + GidMappings: gidMaps, + GidMappingsEnableSetgroups: true, // NOTE: It's reexec but it's not heavy because subprocess // be in PTRACE_TRACEME mode before performing execve. Ptrace: true, diff --git a/pkg/sys/unshare_linux_test.go b/pkg/sys/unshare_linux_test.go index d4486f42f..f627ce6f0 100644 --- a/pkg/sys/unshare_linux_test.go +++ b/pkg/sys/unshare_linux_test.go @@ -85,6 +85,10 @@ func testUnshareAfterEnterUsernsShouldWork(t *testing.T) { data, err = os.ReadFile(fmt.Sprintf("/proc/%d/gid_map", pid)) require.NoError(t, err) require.Equal(t, " 0 1000 10\n", string(data)) + + data, err = os.ReadFile(fmt.Sprintf("/proc/%d/setgroups", pid)) + require.NoError(t, err) + require.Equal(t, "allow\n", string(data)) return nil }) require.NoError(t, uerr)