Request 'allow' setgroups when spawning new userns

Signed-off-by: Mike Baynton <mike@mbaynton.com>
2024-10-17 15:36:15 -05:00 · 2024-10-17 15:36:15 -05:00 · 347423a114
commit 347423a114
parent ce265ff955
2 changed files with 9 additions and 4 deletions
--- a/pkg/sys/unshare_linux.go
+++ b/pkg/sys/unshare_linux.go
@ -49,10 +49,11 @@ func UnshareAfterEnterUserns(uidMap, gidMap string, unshareFlags uintptr, f func
 	proc, err := os.StartProcess("/proc/self/exe", []string{"UnshareAfterEnterUserns"}, &os.ProcAttr{
 		Sys: &syscall.SysProcAttr{
 			// clone new user namespace first and then unshare
-			Cloneflags:   unix.CLONE_NEWUSER,
+			Cloneflags:                 unix.CLONE_NEWUSER,
-			Unshareflags: unshareFlags,
+			Unshareflags:               unshareFlags,
-			UidMappings:  uidMaps,
+			UidMappings:                uidMaps,
-			GidMappings:  gidMaps,
+			GidMappings:                gidMaps,
 			GidMappingsEnableSetgroups: true,
 			// NOTE: It's reexec but it's not heavy because subprocess
 			// be in PTRACE_TRACEME mode before performing execve.
 			Ptrace:    true,
--- a/pkg/sys/unshare_linux_test.go
+++ b/pkg/sys/unshare_linux_test.go
@ -85,6 +85,10 @@ func testUnshareAfterEnterUsernsShouldWork(t *testing.T) {
 		data, err = os.ReadFile(fmt.Sprintf("/proc/%d/gid_map", pid))
 		require.NoError(t, err)
 		require.Equal(t, "         0       1000         10\n", string(data))
 		data, err = os.ReadFile(fmt.Sprintf("/proc/%d/setgroups", pid))
 		require.NoError(t, err)
 		require.Equal(t, "allow\n", string(data))
 		return nil
 	})
 	require.NoError(t, uerr)