feat: set process user

nixpig · Nov 3, 2024 · 0c70442 · 0c70442
1 parent da736c8
commit 0c70442
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -194,6 +194,7 @@ Tests are run on every build in [this Github Action](https://github.com/nixpig/b
 - [x] process
 - [x] process_capabilities
 - [x] process_oom_score_adj
+- [x] process_user
 - [x] start
 - [x] state
 
@@ -219,7 +220,6 @@ Tests are run on every build in [this Github Action](https://github.com/nixpig/b
 - [ ] process_capabilities_fail
 - [ ] process_rlimits
 - [ ] process_rlimits_fail
-- [ ] process_user
 - [ ] root_readonly_true
 
 ### Unsupported tests

diff --git a/container/container_init.go b/container/container_init.go
@@ -8,7 +8,6 @@ import (
 	"strconv"
 	"syscall"
 
-	"github.com/nixpig/brownie/container/capabilities"
 	"github.com/nixpig/brownie/container/namespace"
 	"github.com/nixpig/brownie/container/terminal"
 	"github.com/nixpig/brownie/internal/ipc"
@@ -47,17 +46,6 @@ func (c *Container) Init(reexec string, arg string) error {
 
 	reexecCmd := exec.Command(reexec, []string{arg, c.ID()}...)
 
-	var ambientCapsFlags []uintptr
-	if c.Spec.Process != nil &&
-		c.Spec.Process.Capabilities != nil {
-		for _, cap := range c.Spec.Process.Capabilities.Ambient {
-			ambientCapsFlags = append(
-				ambientCapsFlags,
-				uintptr(capabilities.Capabilities[cap]),
-			)
-		}
-	}
-
 	var cloneFlags uintptr
 	for _, ns := range c.Spec.Linux.Namespaces {
 		ns := namespace.LinuxNamespace(ns)
@@ -95,10 +83,9 @@ func (c *Container) Init(reexec string, arg string) error {
 	}
 
 	reexecCmd.SysProcAttr = &syscall.SysProcAttr{
-		AmbientCaps:                ambientCapsFlags,
 		Cloneflags:                 cloneFlags,
 		Unshareflags:               unshareFlags,
-		GidMappingsEnableSetgroups: false,
+		GidMappingsEnableSetgroups: true,
 		UidMappings:                uidMappings,
 		GidMappings:                gidMappings,
 	}

diff --git a/container/container_reexec.go b/container/container_reexec.go
@@ -179,10 +179,21 @@ func (c *Container) Reexec(log *zerolog.Logger) error {
 
 		log.Info().Msg("✅ before credential set")
 
+		var ambientCapsFlags []uintptr
+		if c.Spec.Process != nil &&
+			c.Spec.Process.Capabilities != nil {
+			for _, cap := range c.Spec.Process.Capabilities.Ambient {
+				ambientCapsFlags = append(
+					ambientCapsFlags,
+					uintptr(capabilities.Capabilities[cap]),
+				)
+			}
+		}
+
 		cmd.SysProcAttr = &syscall.SysProcAttr{
+			AmbientCaps: ambientCapsFlags,
 			Credential: &syscall.Credential{
-				// FIXME: setting the uid wipes out any set capabilities
-				// Uid: c.Spec.Process.User.UID,
+				Uid:    c.Spec.Process.User.UID,
 				Gid:    c.Spec.Process.User.GID,
 				Groups: c.Spec.Process.User.AdditionalGids,
 			},

diff --git a/oci.sh b/oci.sh
@@ -59,7 +59,7 @@ tests=(
   "process_oom_score_adj"
 # "process_rlimits"
 # "process_rlimits_fail"
-# "process_user"
+  "process_user"
 # "root_readonly_true"
   "start"
   "state"