sandbox: write uid/gid map as init

This avoids PR_SET_DUMPABLE in the parent process.

Signed-off-by: Ophestra <cat@gensokyo.uk>

internal/sandbox/init.go

@@ -33,6 +33,7 @@ const (
 type initParams struct {
 	InitParams
 
+	HostUid, HostGid int
 	// extra files count
 	Count int
 	// verbosity pass through
@@ -43,10 +44,6 @@ func Init(exit func(code int)) {
 	runtime.LockOSThread()
 	fmsg.Prepare("init")
 
-	if err := internal.SetDumpable(internal.SUID_DUMP_DISABLE); err != nil {
-		log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
-	}
-
 	if os.Getpid() != 1 {
 		log.Fatal("this process must run as pid 1")
 	}
@@ -80,6 +77,29 @@ func Init(exit func(code int)) {
 		offsetSetup = int(setupFile.Fd() + 1)
 	}
 
+	// write uid/gid map here so parent does not need to set dumpable
+	if err := internal.SetDumpable(internal.SUID_DUMP_USER); err != nil {
+		log.Fatalf("cannot set SUID_DUMP_USER: %s", err)
+	}
+	if err := os.WriteFile("/proc/self/uid_map",
+		append([]byte{}, strconv.Itoa(params.Uid)+" "+strconv.Itoa(params.HostUid)+" 1\n"...),
+		0); err != nil {
+		log.Fatalf("%v", err)
+	}
+	if err := os.WriteFile("/proc/self/setgroups",
+		[]byte("deny\n"),
+		0); err != nil && !os.IsNotExist(err) {
+		log.Fatalf("%v", err)
+	}
+	if err := os.WriteFile("/proc/self/gid_map",
+		append([]byte{}, strconv.Itoa(params.Gid)+" "+strconv.Itoa(params.HostGid)+" 1\n"...),
+		0); err != nil {
+		log.Fatalf("%v", err)
+	}
+	if err := internal.SetDumpable(internal.SUID_DUMP_DISABLE); err != nil {
+		log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
+	}
+
 	if params.Hostname != "" {
 		if err := syscall.Sethostname([]byte(params.Hostname)); err != nil {
 			log.Fatalf("cannot set hostname: %v", err)