github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #10741 from mbaynton/userns-allow-setgroups

Browse Source 
Allow `setgroups` in user namespaces
This commit is contained in:
Samuel Karp 2024-10-17 21:35:59 +00:00 committed by GitHub
commit 963c216048
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/sys/unshare_linux.go
View File

@ -53,6 +53,7 @@ func UnshareAfterEnterUserns(uidMap, gidMap string, unshareFlags uintptr, f func
Unshareflags: unshareFlags, Unshareflags: unshareFlags,
UidMappings: uidMaps, UidMappings: uidMaps,
GidMappings: gidMaps, GidMappings: gidMaps,
GidMappingsEnableSetgroups: true,
// NOTE: It's reexec but it's not heavy because subprocess // NOTE: It's reexec but it's not heavy because subprocess
// be in PTRACE_TRACEME mode before performing execve. // be in PTRACE_TRACEME mode before performing execve.
Ptrace: true, Ptrace: true,

4
pkg/sys/unshare_linux_test.go
View File

@ -85,6 +85,10 @@ func testUnshareAfterEnterUsernsShouldWork(t *testing.T) {
data, err = os.ReadFile(fmt.Sprintf("/proc/%d/gid_map", pid)) data, err = os.ReadFile(fmt.Sprintf("/proc/%d/gid_map", pid))
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, " 0 1000 10\n", string(data)) require.Equal(t, " 0 1000 10\n", string(data))
data, err = os.ReadFile(fmt.Sprintf("/proc/%d/setgroups", pid))
require.NoError(t, err)
require.Equal(t, "allow\n", string(data))
return nil return nil
}) })
require.NoError(t, uerr) require.NoError(t, uerr)