Implement /proc/sys/user/max_user_namespaces ?

[Evolto2019]

Description

Bubblewrap with option "--disable-userns" enabled fails to run in gvisor due to lack of /proc/sys/user/max_user_namespaces (relevant code). The option "--disable-userns" is set as default by flatpak, so adding /proc/sys/user/max_user_namespaces will make it possible to build and run flatpak in container with gvisor.

Is this feature related to a specific bug?

No response

Do you have a specific solution in mind?

No response

[EtiennePerot]

Have you confirmed that this is the only thing that prevents flatpak from working? You can check by doing something like echo 1234 > /tmp/max_user_namespaces.txt && docker run --rm -it -v /tmp/max_user_namespaces.txt:/proc/sys/user/max_user_namespaces:rw --runtime=runsc ubuntu bash.

[Evolto2019]

Have you confirmed that this is the only thing that prevents flatpak from working? You can check by doing something like echo 1234 > /tmp/max_user_namespaces.txt && docker run --rm -it -v /tmp/max_user_namespaces.txt:/proc/sys/user/max_user_namespaces:rw --runtime=runsc ubuntu bash.

Well confirmed. Bubblewrap will complain "creation of new user namespaces was not disabled as requested" in this case. This is because it checks whether it's possible to create new user namespace after setting "1" for /proc/sys/user/max_user_namespaces. Mounting a fake max_user_namespaces file will work only if bubblewrap performs the check by simply reading the corresponding sysctl value, which is not the case here.