unshare: fix user namespace bind mounts

unshare --user=<file> always fails because we no longer have CAP_SYS_ADMIN
in the parent user namespace after unsharing to create the new one. As with
unshare --mount=<file>, fork a child to make the bind mount instead.

Signed-off-by: Chris Webb <chris@arachsys.com>

diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c
index d9c4d403f77313355bfbd6488f6c53203e285611..aeb8bf9745ab42a1e74aed1fb41cb9331d224e41 100644 (file)
--- a/sys-utils/unshare.c
+++ b/sys-utils/unshare.c
@@ -1075,7 +1075,7 @@ int main(int argc, char *argv[])
        /* clear any inherited settings */
        signal(SIGCHLD, SIG_DFL);
 
-       if (npersists && (unshare_flags & CLONE_NEWNS))
+       if (npersists && (unshare_flags & (CLONE_NEWNS | CLONE_NEWUSER)))
                pid_bind = bind_ns_files_from_child(&fd_bind);
 
        if (usermap || groupmap)
@@ -1130,7 +1130,7 @@ int main(int argc, char *argv[])
 
        if (npersists && (pid || !forkit)) {
                /* run in parent */
-               if (pid_bind && (unshare_flags & CLONE_NEWNS))
+               if (pid_bind && (unshare_flags & (CLONE_NEWNS | CLONE_NEWUSER)))
                        sync_with_child(pid_bind, fd_bind);
                else
                        /* simple way, just bind */