void do_unshare(void) { FILE *f; uid_t uid = geteuid(); gid_t gid = getegid(); unshare(CLONE_NEWNS|CLONE_NEWUSER); f = fopen("/proc/self/uid_map", "w"); fprintf(f, "0 %d 1", uid); fclose(f); f = fopen("/proc/self/setgroups", "w"); fprintf(f, "deny"); fclose(f); f = fopen("/proc/self/gid_map", "w"); fprintf(f, "0 %d 1", gid); fclose(f); mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL); }
This obviously needs error checking - in this form it won't do anything good without userns enabled (coredump on the first fprintf() in there, since there won't be /proc/self/uid_map); should probably just report CLONE_NEWUSER failure, warn about skipped tests, fall back to unshare(CLONE_NEWNS) and skip everything in in_child()...