rootlesskit hangs in a session with no_new_privs set #551
Description
To reproduce on openSUSE Tumblewed, as root:
zypper ar -f https://download.opensuse.org/repositories/home:/kukuk:/no_new_privs/openSUSE_Tumbleweed/ no_new_privszypper -n --gpg-auto-import-keys install --force-resolution --allow-vendor-change enable-no_new_privssystemctl enable --now polkit-agent-helper.socketsed -ri 's/^(SELINUX)=.*/\1=permissive/' /etc/selinux/configreboot- Log in as user and run
rootlesskit true
Tried with packaged 2.3.5 and upstream 2.3.6 & 3.0.0-alpha1
Expected behaviour: Success when running with no-new-privs or a quick error message when run with setpriv:
$ setpriv --no-new-privs rootlesskit true
[rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 81652 [0 1000 1 1 100000 65536] failed: newuidmap: write to uid_map failed: Operation not permitted
: exit status 1
For now we have the situation that rootless podman works but not yet rootless docker.
Related: thkukuk/account-utils#18
For added context: https://www.thkukuk.de/blog/no_new_privs/