On Tue, 2015-02-17 at 13:23 -0800, Andy Lutomirski wrote:
- setuid / privileged helper. Why do you need a privileged helper? You should be able to do all of this using user namespaces. The Sandstorm code linked above does exactly this.
I tried this a bit, but i ran into two snags i don't understand. First of all, as uid/gid 1000 i can put "1000 1000 1" in /proc/self/uid_map from the child. However, i cannot put "1000 1000 1" into gid_map, as i get EPERM. I don't understand this, is this not supposed to work? Secondly, i'm failing to mount another instance of devpts. It fails with EINVAL. I've attached some sample code that shows these two errors (that i get on Fedora 21, with kernel 3.18.3-201.fc21.x86_64. Any help here would be appreciated...
Attachment:
test-user.c
Description: Text Data