Can't run unprivileged any more due to setgroups
Since !77 (merged), it's not possible to run virtiofsd as an unprivileged user any more:
[2022-03-04T16:46:42Z ERROR virtiofsd] Error entering sandbox: DropSupplementalGroups(Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" })
This is because setgroups
is always called at startup, and it requires CAP_SETGID
. When using the namespace sandbox mode, should setgroups
be called after setting up the namespace?