LPC 2020 Hackroom Session: summary and next steps for isolated user namespaces

Franklin “Snaipe” Mathieu snaipe at arista.com
Fri Apr 23 14:36:12 UTC 2021


On Thu, Apr 22, 2021 at 11:18 AM Giuseppe Scrivano <gscrivan at redhat.com> wrote:
> thanks for the feedback.  We are still facing the issue with rootless
> Podman, and these patches (listed here so you won't need to dig into archives):
>
> https://github.com/giuseppe/linux/commit/7e0701b389c497472d11fab8570c153a414050af
> https://github.com/giuseppe/linux/commit/1c5fe726346b216293a527719e64f34e6297f0c2
>
> would solve the issue for us as well and we can use setgroups within a
> user namespace in a safe way.
>
> Any comments on this approach?  Could we move forward with it?
>

I rebased and built your changes on top of v5.10, patched our tool to
burn "shadow" into /proc/self/setgroups, and it's working beautifully:

    $ id
    uid=1000(snaipe) gid=1000(snaipe) groups=1000(snaipe),998(wheel)

    $ bst grep . /proc/self/uid_map /proc/self/gid_map /proc/self/setgroups
    /proc/self/uid_map:         0       1000          1
    /proc/self/uid_map:         1     100000      65536
    /proc/self/gid_map:         0       1000          1
    /proc/self/gid_map:         1     100000      65536
    /proc/self/setgroups:shadow

    $ ls -l
    total 8
    drwxr-xr-x 2 root wheel 4096 Apr 23 14:18 allowed
    drwx---r-x 2 root wheel 4096 Apr 23 14:18 denied

    $ bst sh -c 'id; ls allowed denied'
    uid=0(root) gid=0(root) groups=0(root)
    allowed:
    ls: cannot open directory 'denied': Permission denied

    $ bst --groups 1 sh -c 'id; ls allowed denied'
    uid=0(root) gid=0(root) groups=0(root),1(daemon)
    allowed:
    ls: cannot open directory 'denied': Permission denied

-- 
Snaipe


More information about the Containers mailing list