From a2dacef5d7978e76e1c9d342217ebce470112cd4 Mon Sep 17 00:00:00 2001
From: Robert Swiecki <robert@swiecki.net>
Date: Fri, 29 Mar 2019 21:38:14 +0100
Subject: [PATCH] allow to use nsjail w/o namespaces

---
 cmdline.cc |  1 +
 mnt.cc     |  5 +----
 nsjail.h   |  1 +
 user.cc    | 24 ++++++++++++++----------
 4 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/cmdline.cc b/cmdline.cc
index 4d273e6..ecc0419 100644
--- a/cmdline.cc
+++ b/cmdline.cc
@@ -432,6 +432,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
 	nsjconf->iface_vs_gw = "0.0.0.0";
 	nsjconf->iface_vs_ma = "";
 	nsjconf->orig_uid = getuid();
+	nsjconf->orig_euid = geteuid();
 	nsjconf->num_cpus = sysconf(_SC_NPROCESSORS_ONLN);
 	nsjconf->seccomp_fprog.filter = NULL;
 	nsjconf->seccomp_fprog.len = 0;
diff --git a/mnt.cc b/mnt.cc
index 8b1c9b2..26bd5a8 100644
--- a/mnt.cc
+++ b/mnt.cc
@@ -344,10 +344,7 @@ static bool initNsInternal(nsjconf_t* nsjconf) {
 	 */
 	if (!nsjconf->clone_newns) {
 		if (nsjconf->chroot.empty()) {
-			PLOG_E(
-			    "--chroot was not specified, and it's required when not using "
-			    "CLONE_NEWNS");
-			return false;
+			return true;
 		}
 		if (chroot(nsjconf->chroot.c_str()) == -1) {
 			PLOG_E("chroot('%s')", nsjconf->chroot.c_str());
diff --git a/nsjail.h b/nsjail.h
index f91b8fd..9f1a19c 100644
--- a/nsjail.h
+++ b/nsjail.h
@@ -144,6 +144,7 @@ struct nsjconf_t {
 	bool seccomp_log;
 	long num_cpus;
 	uid_t orig_uid;
+	uid_t orig_euid;
 	std::vector<mount_t> mountpts;
 	std::vector<pids_t> pids;
 	std::vector<idmap_t> uids;
diff --git a/user.cc b/user.cc
index a395f05..04d9723 100644
--- a/user.cc
+++ b/user.cc
@@ -77,12 +77,12 @@ static bool setResUid(uid_t uid) {
 	return true;
 }
 
-static bool setGroups(pid_t pid) {
+static bool setGroups(nsjconf_t* nsjconf, pid_t pid) {
 	/*
 	 * No need to write 'deny' to /proc/pid/setgroups if our euid==0, as writing to
 	 * uid_map/gid_map will succeed anyway
 	 */
-	if (geteuid() == 0) {
+	if (!nsjconf->clone_newuser || nsjconf->orig_euid == 0) {
 		return true;
 	}
 
@@ -214,7 +214,7 @@ static bool uidGidMap(nsjconf_t* nsjconf, pid_t pid) {
 }
 
 bool initNsFromParent(nsjconf_t* nsjconf, pid_t pid) {
-	if (!setGroups(pid)) {
+	if (!setGroups(nsjconf, pid)) {
 		return false;
 	}
 	if (!nsjconf->clone_newuser) {
@@ -227,13 +227,8 @@ bool initNsFromParent(nsjconf_t* nsjconf, pid_t pid) {
 }
 
 bool initNsFromChild(nsjconf_t* nsjconf) {
-	/*
-	 * Best effort because of /proc/self/setgroups
-	 */
-	LOG_D("setgroups(0, NULL)");
-	const gid_t* group_list = NULL;
-	if (setgroups(0, group_list) == -1) {
-		PLOG_D("setgroups(NULL) failed");
+	if (!nsjconf->clone_newuser && nsjconf->orig_euid != 0) {
+		return true;
 	}
 
 	/*
@@ -246,6 +241,15 @@ bool initNsFromChild(nsjconf_t* nsjconf) {
 		return false;
 	}
 
+	/*
+	 * Best effort because of /proc/self/setgroups
+	 */
+	LOG_D("setgroups(0, NULL)");
+	const gid_t* group_list = NULL;
+	if (setgroups(0, group_list) == -1) {
+		PLOG_D("setgroups(NULL) failed");
+	}
+
 	if (!setResGid(nsjconf->gids[0].inside_id)) {
 		PLOG_E("setresgid(%u)", nsjconf->gids[0].inside_id);
 		return false;
-- 
2.7.4