From aabdb67c17ec26df3bea15ca3c7f88c73d565bcf Mon Sep 17 00:00:00 2001
From: Damien Martin-Guillerez <dmarting@google.com>
Date: Mon, 18 May 2015 09:52:43 +0000
Subject: namespace-sandbox: write "deny" to /proc/self/setgroups

This remove the operation not permitted when trying to write
the gid mapping. The error message was the result of a change
in Linux 3.19 to address a security issue. Further explanation
can be found in the source example of
http://man7.org/linux/man-pages/man7/user_namespaces.7.html.

--
MOS_MIGRATED_REVID=93870786
---
 src/main/tools/namespace-sandbox.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/main')

diff --git a/src/main/tools/namespace-sandbox.c b/src/main/tools/namespace-sandbox.c
index 2ea49f812a..e14ef70b39 100644
--- a/src/main/tools/namespace-sandbox.c
+++ b/src/main/tools/namespace-sandbox.c
@@ -179,6 +179,14 @@ parsing_finished:
     CHECK_CALL(chdir(".."));
   }
 
+  // Disable needs for CAP_SETGID
+  int r = WriteFile("/proc/self/setgroups", "deny");
+  if (r < 0 && errno != ENOENT) {
+    // Writing to /proc/self/setgroups might fail on earlier
+    // version of linux because setgroups does not exist, ignore.
+    perror("WriteFile(\"/proc/self/setgroups\", \"deny\")");
+    exit(-1);
+  }
   // set group and user mapping from outer namespace to inner:
   // no changes in the parent, be root in the child
   CHECK_CALL(WriteFile("/proc/self/uid_map", "0 %d 1\n", uid));
-- 
cgit v1.2.3