How runc write uid_map/gid_map and makes /proc/sys/net/ipv4/ping_group_range works ?

[comicfans]

Hello runc developers, I'm learning how namespace works,
I found my test program, which create ICMP_PROTO socket,
can only works under docker, but not under bazel linux-sandbox.

this program requires /proc/sys/net/ipv4/ping_group_range to be valid to work properly,
( running user group must belongs to this file low-high range)
then during check, I found under docker (my user belongs to docker group, and I run docker as normal user)

docker run \
--rm \
-it \
--network=none \
-u $(id -u):$(id -g) \ 
--privileged
-v /work_dir:/mnt bash

I have

id 
uid=1009 gid=1010 groups=1010
/proc/self/uid_map 
0 0 4294967295
/proc/self/gid_map
0 0 4294967295
/proc/sys/net/ipv4/ping_group_range
0 2147483647.  (on my host, this is 0 65535)

if run docker as root

docker run \
--rm \
-it \
--network=none \
--privileged
-v /work_dir:/mnt bash

I have

id 
uid = 0(root) gid=0(root) groups=0(root), 1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
uid=1009 gid=1010 groups=1010
/proc/self/uid_map 
0 0 4294967295
/proc/self/gid_map
0 0 4294967295
/proc/sys/net/ipv4/ping_group_range
0 2147483647.  (on my host, this is 0 65535)

seems that docker has a separate network namespace, and my test program can work properly

but under bazel linux-sandbox (also as normal user)

linux-sandbox -N -- /bin/bash

I have

id
uid=1009(myname) gid=1010 (myname) groups=1010(myname) 65534(nogroup)
/proc/self/uid_map
1009 1009 1
/proc/self/gid_map
1010 1010 1
/proc/sys/net/ipv4/ping_group_range
65534 65534 (on my host, this is 0 65535)

or if run bazel linux-sandbox with fakeroot (only map inner user to 0)

linux-sandbox -N -R -- /bin/bash

I have

id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
/proc/self/uid_map
0 1009 1
/proc/self/gid_map
0 1010 1
/proc/sys/net/ipv4/ping_group_range
65534 65534 (on my host, this is 0 65535)

seems I have some invalid group id inside bazel linux-sandbox.
according to this
and my kernel debug, the /proc/sys/net/ipv4/ping_group_range shows 65534/65534 because inside bazel linux-sandbox, kernel treat me as invalid group, thus my test program (which requires ping_group_range be valid) is broken.

I found someone said

Access to ICMP_PROTO is controlled by net.ipv4.ping_group_range sysctl. It is reset to default in new net namespace. 
. Default is to not allow any user, even root. 

is it true? does runc do something special to make it work inside new namespace ?
and even I use bazel linux-sandbox fakeroot (map user as zero), I can't write correct value to this sysctl (I can update this value on host , or under docker run --rm -it --privileged --network=none bash without problem), according to this, I think this is still be problem that kernel treat my group in bazel linux-sandbox is invalid.

then I tried to modify bazel source code to write uid_map/gid_map as docker
from

WriteFile("/proc/self/uid_map", "%u %u 1\n", inner_uid,global_outer_uid)

to

WriteFile("/proc/self/uid_map", "%u %u 1000\n", inner_uid,global_outer_uid)

or

WriteFile("/proc/self/uid_map", "%u %u 4294967295\n", 0,0)

they both failed , no matter if I run bazel linux-sandbox as normal user or root.seems it can only write the range as 1.

my question is , how runc deal with the network namespace, and the user map during initialize, to make them work ?
why under bazel linux-sandbox, kernel treat me as invalid group ? how can I set uid/gid_map as docker's ? thanks for any advice

[cyphar]

1. Your regular docker run is actually spawning a container without user namespaces (docker run is run as an unprivileged user but the Docker daemon runs as root). Docker also sets up the network namespace to allow for unprivileged pings automatically.
2. linux-sandbox is using unprivileged user namespaces (rootless containers), which means that only one user is mapped. You cannot change /proc/self/uid_map or /proc/self/gid_map after they have been set, and in this case the container process is unprivileged so it wouldn't be able to change the maps to anything else even if it wanted to.

The simplest solution is probably to just run linux-sandbox as root. User namespaces result in more secure containers, and if you'd like more information I can try to find some articles, but it seems you just want it to work the same as Docker.

(Also, I don't know what linux-sandbox is. Do they even use runc? This is the runc project issue tracker.)

[comicfans]

Thank you for the answer. seems that I missed the https://man7.org/linux/man-pages/man7/user_namespaces.7.html description about unpriviledged namespaces. after some working, I figure out how it works. for linux-sandbox unpriviledged namespace, it only map 1 uid/gid, but after namespace created, /sys/proc/net/ipv4/ping_group_range is reset to 1 0, even gid_map map user as root (gid =0), the value 1 still mapped to invalid gid (kernel sysctl_net_ipv4.c), thus this sysctl is always incorrect (shown as 65534). only way to resolve it is to write "0 0" to /sys/proc/net/ipv4/ping_group_range, so 0 can map back to valid gid. I found podman also has this behavior containers/podman#13194.

and linux-sandbox is a tool of bazel, which used to isolate build/test process. I'm asking here because I found they both utilize namespace, but my program only behavior correctly under docker, not under bazel linux-sandbox

[comicfans]

and one more question, if I use unprivileged namespace, is it possible to do some root level config to system ? I found that before uid_map/gid_map once write, my gid is 65534 (which seems to be invalid group id), and only after the gid_map written (map with 0), then I'm able to write to /proc/sys/net/ipv4/ping_group_range (it require root permission to write), which seems a little wired (maybe limitation of kernel I think ?) , it can already call mount to config namespace, but can't write to /proc/sys to do some init alike config.

[cyphar]

You need to have a new network namespace to be able to modify /proc/sys/net (it would not be safe to allow an unprivileged user to modify the host's network configuration).

However, a new network namespace (for rootless containers / in an unprivileged user namespace) won't have internet connectivity because you don't have permissions to create the necessary bridge network device on the host. You need to use tools like bypass4netns or slirp4netns to get network connectivity. See https://github.com/rootless-containers for more information.

[comicfans]

Thank you very much, will take a look. my usage is quite simple, no need to have real world internet connectivity, just be able to change /proc/sys/net/ipv4/ping_group_range to valid range with unprivileged user. now It works as 'fake root' (map uid as 0), but not work as 'non-fake-root'. according to containers/podman#13194 seems this is not possible.