namespace-sandbox: write "deny" to /proc/self/setgroups

This remove the operation not permitted when trying to write the gid mapping. The error message was the result of a change in Linux 3.19 to address a security issue. Further explanation can be found in the source example of http://man7.org/linux/man-pages/man7/user_namespaces.7.html. -- MOS_MIGRATED_REVID=93870786
author: Damien Martin-Guillerez <dmarting@google.com> 2015-05-18 09:52:43 +0000
committer: Damien Martin-Guillerez <dmarting@google.com> 2015-05-18 19:59:35 +0000
commit: aabdb67c17ec26df3bea15ca3c7f88c73d565bcf (patch)
tree: bdb2bd4350572c479ad31fbec68e644417336d9a /src/main/tools/namespace-sandbox.c
parent: cb598ef624d7f451fcaff25f01ab98c2bc1901a8 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/main/tools/namespace-sandbox.c b/src/main/tools/namespace-sandbox.c
index 2ea49f812a..e14ef70b39 100644
--- a/src/main/tools/namespace-sandbox.c
+++ b/src/main/tools/namespace-sandbox.c
@@ -179,6 +179,14 @@ parsing_finished:
     CHECK_CALL(chdir(".."));
   }
 
+  // Disable needs for CAP_SETGID
+  int r = WriteFile("/proc/self/setgroups", "deny");
+  if (r < 0 && errno != ENOENT) {
+    // Writing to /proc/self/setgroups might fail on earlier
+    // version of linux because setgroups does not exist, ignore.
+    perror("WriteFile(\"/proc/self/setgroups\", \"deny\")");
+    exit(-1);
+  }
   // set group and user mapping from outer namespace to inner:
   // no changes in the parent, be root in the child
   CHECK_CALL(WriteFile("/proc/self/uid_map", "0 %d 1\n", uid));
author	Damien Martin-Guillerez <dmarting@google.com>	2015-05-18 09:52:43 +0000
committer	Damien Martin-Guillerez <dmarting@google.com>	2015-05-18 19:59:35 +0000
commit	aabdb67c17ec26df3bea15ca3c7f88c73d565bcf (patch)
tree	bdb2bd4350572c479ad31fbec68e644417336d9a /src/main/tools/namespace-sandbox.c
parent	cb598ef624d7f451fcaff25f01ab98c2bc1901a8 (diff)