Skip to content

fix(sandbox): add --map-auto flag for unshare commands#3013

Open
Einspanner123 wants to merge 2 commits intoultraworkers:mainfrom
Einspanner123:fix/sandbox-map-auto-fallback
Open

fix(sandbox): add --map-auto flag for unshare commands#3013
Einspanner123 wants to merge 2 commits intoultraworkers:mainfrom
Einspanner123:fix/sandbox-map-auto-fallback

Conversation

@Einspanner123
Copy link
Copy Markdown

@Einspanner123 Einspanner123 commented May 10, 2026

Summary

Fixes sandbox namespace detection and activation on systems where unshare --map-root-user alone fails because the kernel blocks direct uid_map writes by non-root users (observed on util-linux 2.39.3).

Root Cause

unshare --map-root-user tries to write directly to /proc/self/uid_map, which the kernel rejects with EPERM for unprivileged users on some configurations. The --map-auto flag tells unshare to use the newuidmap SUID helper with /etc/subuid delegations instead, which is the recommended approach for unprivileged user namespaces.

On systems where --map-root-user already works natively, the additional --map-auto flag is a safe no-op.

Changes

Two one-line additions in rust/crates/runtime/src/sandbox.rs:

  1. Detection probe (line 296): --map-root-user--map-root-user --map-auto
  2. Sandbox launch args (line 225): add --map-auto to the unshare argument list

Verification

  • cargo build --release succeeds
  • cargo test --package runtime -- sandbox — all 7 tests pass
  • claw doctor shows sandbox as supported and active on a system where it previously failed

Before / After

# Before
Sandbox   warn   sandbox was requested but is not currently active
                 fallback: namespace isolation unavailable (requires Linux with `unshare`)

# After
Sandbox   ok     sandbox protections are active
                 supported=true  active=true  filesystem-mode=workspace-only

🤖 Generated with Claude Code

@Einspanner123 Einspanner123 force-pushed the fix/sandbox-map-auto-fallback branch 2 times, most recently from a6dd933 to f8c586d Compare May 10, 2026 09:03
Einspanner123 and others added 2 commits May 10, 2026 17:06
@Einspanner123 @claude
fix(sandbox): add --map-auto flag for unshare commands
b8affff 
On systems where `unshare --map-root-user` alone fails because uid_map
direct writes are blocked by the kernel (observed on util-linux 2.39.3
with non-root users), adding `--map-auto` lets unshare use the newuidmap
SUID helper with /etc/subuid delegations to set up the mapping.

This affects both the user-namespace detection probe and the actual
sandbox launch arguments. When --map-root-user already works natively,
the additional --map-auto flag is a safe no-op.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@Einspanner123 @claude
fix(sandbox): use is_ok_and instead of map+unwrap_or for clippy
36d5da9 
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@Einspanner123 Einspanner123 force-pushed the fix/sandbox-map-auto-fallback branch from f8c586d to 36d5da9 Compare May 10, 2026 09:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Einspanner123