reapply avagin's --unprivileged flag to recent gvisor

Attempt to reapply the --unprivileged flag patch given here:
google#4371 (comment)

Author: paulfitz

runsc/cmd/do.go

@@ -140,7 +140,7 @@ func (c *Do) Execute(_ context.Context, f *flag.FlagSet, args ...any) subcommand
 	conf := args[0].(*config.Config)
 	waitStatus := args[1].(*unix.WaitStatus)
 
-	if conf.Rootless {
+	if conf.Rootless && !conf.Unprivileged {
 		if err := specutils.MaybeRunAsRoot(); err != nil {
 			return util.Errorf("Error executing inside namespace: %v", err)
 		}

runsc/cmd/gofer.go

@@ -153,6 +153,8 @@ func (g *Gofer) Execute(_ context.Context, f *flag.FlagSet, args ...any) subcomm
 	g.syncFDs.syncNVProxy()
 	g.syncFDs.syncUsernsForRootless()
 
+        root := "/"
+        if !conf.Unprivileged {
 	if g.setUpRoot {
 		if err := g.setupRootFS(spec, conf); err != nil {
 			util.Fatalf("Error setting up root FS: %v", err)
@@ -170,11 +172,13 @@ func (g *Gofer) Execute(_ context.Context, f *flag.FlagSet, args ...any) subcomm
 		util.Fatalf("setCapsAndCallSelf(%v, %v): %v", args, goferCaps, setCapsAndCallSelf(args, goferCaps))
 		panic("unreachable")
 	}
+        }
 
 	// Start profiling. This will be a noop if no profiling arguments were passed.
 	profileOpts := g.profileFDs.ToOpts()
 	g.stopProfiling = profile.Start(profileOpts)
 
+        if !conf.Unprivileged {
 	// At this point we won't re-execute, so it's safe to limit via rlimits. Any
 	// limit >= 0 works. If the limit is lower than the current number of open
 	// files, then Setrlimit will succeed, and the next open will fail.
@@ -193,10 +197,11 @@ func (g *Gofer) Execute(_ context.Context, f *flag.FlagSet, args ...any) subcomm
 	}
 
 	// Find what path is going to be served by this gofer.
-	root := spec.Root.Path
+	root = spec.Root.Path
 	if !conf.TestOnlyAllowRunAsCurrentUserWithoutChroot {
 		root = "/root"
 	}
+        }
 
 	// Resolve mount points paths, then replace mounts from our spec and send the
 	// mount list over to the sandbox, so they are both in sync.
@@ -231,13 +236,15 @@ func (g *Gofer) Execute(_ context.Context, f *flag.FlagSet, args ...any) subcomm
 	// procfs isn't needed anymore.
 	g.syncFDs.unmountProcfs()
 
+        if root != "/" {
 	if err := unix.Chroot(root); err != nil {
 		util.Fatalf("failed to chroot to %q: %v", root, err)
 	}
 	if err := unix.Chdir("/"); err != nil {
 		util.Fatalf("changing working dir: %v", err)
 	}
 	log.Infof("Process chroot'd to %q", root)
+        }
 
 	// Initialize filters.
 	opts := filter.Options{

runsc/cmd/run.go

@@ -84,9 +84,11 @@ func (r *Run) Execute(_ context.Context, f *flag.FlagSet, args ...any) subcomman
 			return util.Errorf("sandbox network isn't supported with --rootless, use --network=none or --network=host")
 		}
 
+                if !conf.Unprivileged {
 		if err := specutils.MaybeRunAsRoot(); err != nil {
 			return util.Errorf("Error executing inside namespace: %v", err)
 		}
+                }
 		// Execution will continue here if no more capabilities are needed...
 	}
 

runsc/config/config.go

@@ -260,6 +260,8 @@ type Config struct {
 	// should not have a symlink.
 	Rootless bool `flag:"rootless"`
 
+        Unprivileged bool `flag:"unprivileged"`
+
 	// AlsoLogToStderr allows to send log messages to stderr.
 	AlsoLogToStderr bool `flag:"alsologtostderr"`
 

runsc/config/flags.go

@@ -85,6 +85,7 @@ func RegisterFlags(flagSet *flag.FlagSet) {
 	flagSet.String("profile-mutex", "", "collects a mutex profile to this file path for the duration of the container execution. Requires -profile=true.")
 	flagSet.String("trace", "", "collects a Go runtime execution trace to this file path for the duration of the container execution.")
 	flagSet.Bool("rootless", false, "it allows the sandbox to be started with a user that is not root. Sandbox and Gofer processes may run with same privileges as current user.")
+        flagSet.Bool("unprivileged", false, "it allows the sandbox to be started with a user that is not root and doesn't have privileges to create a new user namespace. Sandbox and Gofer processes may run with same privileges as current user.")
 	flagSet.Var(leakModePtr(refs.NoLeakChecking), "ref-leak-mode", "sets reference leak check mode: disabled (default), log-names, log-traces.")
 	flagSet.Bool("cpu-num-from-quota", false, "set cpu number to cpu quota (least integer greater or equal to quota value, but not less than 2)")
 	flagSet.Bool("oci-seccomp", false, "Enables loading OCI seccomp filters inside the sandbox.")

runsc/container/container.go

@@ -1322,15 +1322,17 @@ func (c *Container) createGoferProcess(spec *specs.Spec, conf *config.Config, bu
 
 	// Enter new namespaces to isolate from the rest of the system. Don't unshare
 	// cgroup because gofer is added to a cgroup in the caller's namespace.
-	nss := []specs.LinuxNamespace{
+        nss := []specs.LinuxNamespace{}
+	rootlessEUID := unix.Geteuid() != 0
+	if !conf.Unprivileged {
+        nss = []specs.LinuxNamespace{
 		{Type: specs.IPCNamespace},
 		{Type: specs.MountNamespace},
 		{Type: specs.NetworkNamespace},
 		{Type: specs.PIDNamespace},
 		{Type: specs.UTSNamespace},
-	}
+        }
 
-	rootlessEUID := unix.Geteuid() != 0
 	// Setup any uid/gid mappings, and create or join the configured user
 	// namespace so the gofer's view of the filesystem aligns with the
 	// users in the sandbox.
@@ -1353,6 +1355,7 @@ func (c *Container) createGoferProcess(spec *specs.Spec, conf *config.Config, bu
 		}
 		defer syncFile.Close()
 	}
+        }
 
 	nvProxySetup, err := nvproxySetupAfterGoferUserns(spec, conf, cmd, &donations)
 	if err != nil {
@@ -1372,7 +1375,7 @@ func (c *Container) createGoferProcess(spec *specs.Spec, conf *config.Config, bu
 	c.goferIsChild = true
 
 	// Set up and synchronize rootless mode userns mappings.
-	if rootlessEUID {
+	if rootlessEUID && !conf.Unprivileged {
 		if err := sandbox.SetUserMappings(spec, cmd.Process.Pid); err != nil {
 			return nil, nil, nil, err
 		}

runsc/sandbox/sandbox.go

@@ -958,8 +958,11 @@ func (s *Sandbox) createSandboxProcess(conf *config.Config, args *Args, startSyn
 	// are virtualized inside the sandbox. Be paranoid and run inside an empty
 	// namespace for these. Don't unshare cgroup because sandbox is added to a
 	// cgroup in the caller's namespace.
+	nss := []specs.LinuxNamespace{}
+	setUserMappings := false
+        if !conf.Unprivileged {
 	log.Infof("Sandbox will be started in new mount, IPC and UTS namespaces")
-	nss := []specs.LinuxNamespace{
+	nss = []specs.LinuxNamespace{
 		{Type: specs.IPCNamespace},
 		{Type: specs.MountNamespace},
 		{Type: specs.UTSNamespace},
@@ -997,7 +1000,6 @@ func (s *Sandbox) createSandboxProcess(conf *config.Config, args *Args, startSyn
 	// namespace specified in the spec or the current namespace if none is
 	// configured.
 	rootlessEUID := unix.Geteuid() != 0
-	setUserMappings := false
 	if conf.Network == config.NetworkHost || conf.DirectFS {
 		if userns, ok := specutils.GetNS(specs.UserNamespace, args.Spec); ok {
 			log.Infof("Sandbox will be started in container's user namespace: %+v", userns)
@@ -1088,6 +1090,7 @@ func (s *Sandbox) createSandboxProcess(conf *config.Config, args *Args, startSyn
 			return fmt.Errorf("can't run sandbox process as user nobody since we don't have CAP_SETUID or CAP_SETGID")
 		}
 	}
+        }
 
 	// The current process' stdio must be passed to the application via the
 	// --stdio-fds flag. The stdio of the sandbox process itself must not
@@ -1696,7 +1699,7 @@ func (s *Sandbox) waitForStopped() error {
 // configureStdios change stdios ownership to give access to the sandbox
 // process. This may be skipped depending on the configuration.
 func (s *Sandbox) configureStdios(conf *config.Config, stdios []*os.File) error {
-	if conf.Rootless || conf.TestOnlyAllowRunAsCurrentUserWithoutChroot {
+	if conf.Unprivileged || conf.Rootless || conf.TestOnlyAllowRunAsCurrentUserWithoutChroot {
 		// Cannot change ownership without CAP_CHOWN.
 		return nil
 	}