Merge pull request #10741 from mbaynton/userns-allow-setgroups

Allow `setgroups` in user namespaces

pkg/sys/unshare_linux.go

@@ -49,10 +49,11 @@ func UnshareAfterEnterUserns(uidMap, gidMap string, unshareFlags uintptr, f func
 	proc, err := os.StartProcess("/proc/self/exe", []string{"UnshareAfterEnterUserns"}, &os.ProcAttr{
 		Sys: &syscall.SysProcAttr{
 			// clone new user namespace first and then unshare
-			Cloneflags:   unix.CLONE_NEWUSER,
-			Unshareflags: unshareFlags,
-			UidMappings:  uidMaps,
-			GidMappings:  gidMaps,
+			Cloneflags:                 unix.CLONE_NEWUSER,
+			Unshareflags:               unshareFlags,
+			UidMappings:                uidMaps,
+			GidMappings:                gidMaps,
+			GidMappingsEnableSetgroups: true,
 			// NOTE: It's reexec but it's not heavy because subprocess
 			// be in PTRACE_TRACEME mode before performing execve.
 			Ptrace:    true,

pkg/sys/unshare_linux_test.go

@@ -85,6 +85,10 @@ func testUnshareAfterEnterUsernsShouldWork(t *testing.T) {
 		data, err = os.ReadFile(fmt.Sprintf("/proc/%d/gid_map", pid))
 		require.NoError(t, err)
 		require.Equal(t, "         0       1000         10\n", string(data))
+
+		data, err = os.ReadFile(fmt.Sprintf("/proc/%d/setgroups", pid))
+		require.NoError(t, err)
+		require.Equal(t, "allow\n", string(data))
 		return nil
 	})
 	require.NoError(t, uerr)