setgroups < deny is needed before group ids are set #27
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Since Linux 3.19 unprivileged writing of /proc/self/gid_map has been disabled unless /proc/self/setgroups is written first to permanently disable the ability to call setgroups in that user namespace.
This essentially means we need to write "deny" to /proc/self/setgroups. This PR adds that one invocation.
Without this, you can't map a child in CLONE_NEWUSER uid 0 and gid 0 to an unprivileged caller's uid and gid.