From 0c7044289368774a0f1a9479c1108c36f5a56780 Mon Sep 17 00:00:00 2001
From: nixpig <143995476+nixpig@users.noreply.github.com>
Date: Sun, 3 Nov 2024 17:17:27 +0000
Subject: [PATCH] feat: set process user

---
 README.md                     |  2 +-
 container/container_init.go   | 15 +--------------
 container/container_reexec.go | 15 +++++++++++++--
 oci.sh                        |  2 +-
 4 files changed, 16 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index d151b08..fa505af 100644
--- a/README.md
+++ b/README.md
@@ -194,6 +194,7 @@ Tests are run on every build in [this Github Action](https://github.com/nixpig/b
 - [x] process
 - [x] process_capabilities
 - [x] process_oom_score_adj
+- [x] process_user
 - [x] start
 - [x] state
 
@@ -219,7 +220,6 @@ Tests are run on every build in [this Github Action](https://github.com/nixpig/b
 - [ ] process_capabilities_fail
 - [ ] process_rlimits
 - [ ] process_rlimits_fail
-- [ ] process_user
 - [ ] root_readonly_true
 
 ### Unsupported tests
diff --git a/container/container_init.go b/container/container_init.go
index a7df976..48ca378 100644
--- a/container/container_init.go
+++ b/container/container_init.go
@@ -8,7 +8,6 @@ import (
 	"strconv"
 	"syscall"
 
-	"github.com/nixpig/brownie/container/capabilities"
 	"github.com/nixpig/brownie/container/namespace"
 	"github.com/nixpig/brownie/container/terminal"
 	"github.com/nixpig/brownie/internal/ipc"
@@ -47,17 +46,6 @@ func (c *Container) Init(reexec string, arg string) error {
 
 	reexecCmd := exec.Command(reexec, []string{arg, c.ID()}...)
 
-	var ambientCapsFlags []uintptr
-	if c.Spec.Process != nil &&
-		c.Spec.Process.Capabilities != nil {
-		for _, cap := range c.Spec.Process.Capabilities.Ambient {
-			ambientCapsFlags = append(
-				ambientCapsFlags,
-				uintptr(capabilities.Capabilities[cap]),
-			)
-		}
-	}
-
 	var cloneFlags uintptr
 	for _, ns := range c.Spec.Linux.Namespaces {
 		ns := namespace.LinuxNamespace(ns)
@@ -95,10 +83,9 @@ func (c *Container) Init(reexec string, arg string) error {
 	}
 
 	reexecCmd.SysProcAttr = &syscall.SysProcAttr{
-		AmbientCaps:                ambientCapsFlags,
 		Cloneflags:                 cloneFlags,
 		Unshareflags:               unshareFlags,
-		GidMappingsEnableSetgroups: false,
+		GidMappingsEnableSetgroups: true,
 		UidMappings:                uidMappings,
 		GidMappings:                gidMappings,
 	}
diff --git a/container/container_reexec.go b/container/container_reexec.go
index 2a6f78d..f82deef 100644
--- a/container/container_reexec.go
+++ b/container/container_reexec.go
@@ -179,10 +179,21 @@ func (c *Container) Reexec(log *zerolog.Logger) error {
 
 		log.Info().Msg("✅ before credential set")
 
+		var ambientCapsFlags []uintptr
+		if c.Spec.Process != nil &&
+			c.Spec.Process.Capabilities != nil {
+			for _, cap := range c.Spec.Process.Capabilities.Ambient {
+				ambientCapsFlags = append(
+					ambientCapsFlags,
+					uintptr(capabilities.Capabilities[cap]),
+				)
+			}
+		}
+
 		cmd.SysProcAttr = &syscall.SysProcAttr{
+			AmbientCaps: ambientCapsFlags,
 			Credential: &syscall.Credential{
-				// FIXME: setting the uid wipes out any set capabilities
-				// Uid: c.Spec.Process.User.UID,
+				Uid:    c.Spec.Process.User.UID,
 				Gid:    c.Spec.Process.User.GID,
 				Groups: c.Spec.Process.User.AdditionalGids,
 			},
diff --git a/oci.sh b/oci.sh
index 9897182..01c0d89 100755
--- a/oci.sh
+++ b/oci.sh
@@ -59,7 +59,7 @@ tests=(
   "process_oom_score_adj"
 # "process_rlimits"
 # "process_rlimits_fail"
-# "process_user"
+  "process_user"
 # "root_readonly_true"
   "start"
   "state"