From bf242e8a5216350b20a8347a05630d7e6d67d5b9 Mon Sep 17 00:00:00 2001
From: Chris Evich <chris_gitlab@icuc.me>
Date: Thu, 8 Dec 2022 06:52:02 -0500
Subject: [PATCH] Fix newuidmap...`: newuidmap: open of uid_map failed:
 Permission denied

Within a container, caps need to be set on /usr/bin/new{uid,gid}map
which reflect the (inner) podman user's root namespaced ID of 10000.

Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
---
 Containerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Containerfile b/Containerfile
index 36b3452..8db73b4 100644
--- a/Containerfile
+++ b/Containerfile
@@ -99,7 +99,9 @@ RUN sed -i -r \
     chmod u+s /usr/bin/new{uid,gid}map && \
     rm -f /home/podman/.bash* && \
     echo DOCKER_HOST="unix:///tmp/podman-run-1000/podman/podman.sock" > /etc/profile.d/podman.sh && \
-    echo "podman:10000:10000" | tee /etc/subuid > /etc/subgid
+    echo "podman:10000:10000" | tee /etc/subuid > /etc/subgid && \
+    setcap -n 10000 cap_setuid+ep /usr/bin/newuidmap && \
+    setcap -n 10000 cap_setuid+ep /usr/bin/newgidmap
 
 # Runtime rootless-mode configuration
 USER podman