On 11/15/2016 12:53 AM, Alex Mestiashvili wrote: > Just stumbled upon the same problem, it seems that CLONE_NEWUSER ( > and as the consequence unprivileged containers ) simply doesn't work > with grecurity patched kernel, see: > > https://forums.grsecurity.net/viewtopic.php?f=3&t=3929 > > You can see if "user namespaces" works with this code: > https://lwn.net/Articles/539941/ > I find out the problem is new[ug]idmap, patch new[ug]idmap.c (uidmap package) solved it,
I attached patches for your reference. Thanks.
--- newgidmap.c.orig 2016-11-17 17:29:16.164529187 +0800 +++ newgidmap.c 2016-11-17 17:28:22.904741277 +0800 @@ -159,7 +159,11 @@ if ((getuid() != pw->pw_uid) || (getgid() != pw->pw_gid) || (pw->pw_uid != st.st_uid) || - (pw->pw_gid != st.st_gid)) { + (pw->pw_gid != st.st_gid && st.st_gid != 64044)) { + fprintf(stderr, _( "getuid(%lu) != pw->pw_uid(%lu)\n" ), getuid(), pw->pw_uid); + fprintf(stderr, _( "getgid(%lu) != pw->pw_gid(%lu)\n" ), getgid(), pw->pw_gid); + fprintf(stderr, _( "pw->pw_uid(%lu) != st.st_uid(%lu)\n" ), pw->pw_uid, st.st_uid); + fprintf(stderr, _( "pw->pw_gid(%lu) != st.st_gid(%lu)\n" ), pw->pw_gid, st.st_gid); fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ), Prog, target); return EXIT_FAILURE;
--- newuidmap.c.orig 2016-11-17 17:28:53.124620939 +0800 +++ newuidmap.c 2016-11-17 17:28:22.908741260 +0800 @@ -159,7 +159,12 @@ if ((getuid() != pw->pw_uid) || (getgid() != pw->pw_gid) || (pw->pw_uid != st.st_uid) || - (pw->pw_gid != st.st_gid)) { + (pw->pw_gid != st.st_gid && st.st_gid != 64044)) { + fprintf(stderr, _( "getuid(%lu) != pw->pw_uid(%lu)\n" ), getuid(), pw->pw_uid); + fprintf(stderr, _( "getgid(%lu) != pw->pw_gid(%lu)\n" ), getgid(), pw->pw_gid); + fprintf(stderr, _( "pw->pw_uid(%lu) != st.st_uid(%lu)\n" ), pw->pw_uid, st.st_uid); + fprintf(stderr, _( "pw->pw_gid(%lu) != st.st_gid(%lu)\n" ), pw->pw_gid, st.st_gid); + fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ), Prog, target); return EXIT_FAILURE;
0xCF2C80AC.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature