-
Kirill Smelkov authoredIf we enter user namespace via regular unshare without help from SUID newuidmap/newgidmap, all supplementary groups are mapped to -1. As the result when Go test tries to chown to a supplementary group, it gets EINVAL: https://github.com/golang/go/issues/42525 -> work it around with patch to skip this chown tests. A more proper, longer-term fix would be to fix Linux kernel to allow writes to /proc/self/gid_map to setup mapping not only to original gid, but to all original supplementary groups as well here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/user_namespace.c?id=v5.16-rc4-0-g0fcfb00b28c0#n1143 this fix, even if accepted by upstream, would be long to be waited for to propagate to distribution kernels that we currently use. So we go with this workaround for now. -------- Another patch is to fix the following TestSCMCredentials failure: === RUN TestSCMCredentials creds_test.go:81: WriteMsgUnix failed with invalid argument, want EPERM --- FAIL: TestSCMCredentials (0.00s) There the code tries to send uid0/gid0 credentials from non-zero uid and expects EPERM reject from kernel. However under `unshare -Umc` uid0/gid0 are not mapped to anywhere and so implicitly map to -1 and are rejected with EINVAL by the kernel. /reviewed-by @jerome /reviewed-on nexedi/slapos!1095
71ced145