|
|
|
|
|
|
by zamalek
485 days ago
|
|
|
FWIW you can unshare PID and user at the same time: https://github.com/porkg/porkg/blob/rs/crates/porkg-linux/sr... If you don't care about being able to use different uids and gids then simply become root in the new namespace: https://github.com/porkg/porkg/blob/rs/crates/porkg-linux/sr... . Root inside the namespace will then be equivalent to the original uid+gid outside. I am using clone, which has the very important caveat: more than one thread running is UB. That's why I use a zygote (a process forked from the root very early on - i.e. before starting the tokio runtime). You can probably avoid all of that by using exec+unshare. But, given you're running on old kernels and constrained environments this may be not possible at all. Maybe make it configurable? |
|
|
[0] https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged...