Open shriphani opened 2 years ago
Can confirm that this solve the issue I had with this piece of code:
.set_id_maps(
vec![UidMap {
inside_uid: 0,
outside_uid: unsafe { libc::geteuid() },
count: 1,
}],
vec![GidMap {
inside_gid: 0,
outside_gid: unsafe { libc::getegid() },
count: 1,
}],
);
Since Linux 3.19 unprivileged writing of /proc/self/gid_map has been disabled unless /proc/self/setgroups is written first to permanently disable the ability to call setgroups in that user namespace.
This essentially means we need to write "deny" to /proc/self/setgroups. This PR adds that one invocation.
Without this, you can't map a child in CLONE_NEWUSER uid 0 and gid 0 to an unprivileged caller's uid and gid.