syscall: correctly set up uid/gid mappings in user namespaces

Before this CL, uid/gid mapping was always set up from the parent
process, which is a privileged operation.

When using unprivileged user namespaces, a process can modify its
uid/gid mapping after the unshare(2) call (but setting the uid/gid
mapping from another process is NOT possible).

Fixes #29789

Change-Id: I8c96a03f5da23fe80bbb83ef051ad89cf185d750
Reviewed-on: https://go-review.googlesource.com/c/go/+/158298
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>

src/syscall/exec_linux_test.go

@@ -434,6 +434,49 @@ func TestUnshareMountNameSpaceChroot(t *testing.T) {
 	}
 }
 
+func TestUnshareUidGidMappingHelper(*testing.T) {
+	if os.Getenv("GO_WANT_HELPER_PROCESS") != "1" {
+		return
+	}
+	defer os.Exit(0)
+	if err := syscall.Chroot(os.TempDir()); err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(2)
+	}
+}
+
+// Test for Issue 29789: unshare fails when uid/gid mapping is specified
+func TestUnshareUidGidMapping(t *testing.T) {
+	if os.Getuid() == 0 {
+		t.Skip("test exercises unprivileged user namespace, fails with privileges")
+	}
+	checkUserNS(t)
+	cmd := exec.Command(os.Args[0], "-test.run=TestUnshareUidGidMappingHelper")
+	cmd.Env = append(os.Environ(), "GO_WANT_HELPER_PROCESS=1")
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		Unshareflags:               syscall.CLONE_NEWNS | syscall.CLONE_NEWUSER,
+		GidMappingsEnableSetgroups: false,
+		UidMappings: []syscall.SysProcIDMap{
+			{
+				ContainerID: 0,
+				HostID:      syscall.Getuid(),
+				Size:        1,
+			},
+		},
+		GidMappings: []syscall.SysProcIDMap{
+			{
+				ContainerID: 0,
+				HostID:      syscall.Getgid(),
+				Size:        1,
+			},
+		},
+	}
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatalf("Cmd failed with err %v, output: %s", err, out)
+	}
+}
+
 type capHeader struct {
 	version uint32
 	pid     int32