From b8afffff5fb35d16348d31819d387ecd680e8a48 Mon Sep 17 00:00:00 2001
From: Einspanner123 <59049154+Einspanner123@users.noreply.github.com>
Date: Sun, 10 May 2026 16:37:16 +0800
Subject: [PATCH 1/2] fix(sandbox): add --map-auto flag for unshare commands

On systems where `unshare --map-root-user` alone fails because uid_map
direct writes are blocked by the kernel (observed on util-linux 2.39.3
with non-root users), adding `--map-auto` lets unshare use the newuidmap
SUID helper with /etc/subuid delegations to set up the mapping.

This affects both the user-namespace detection probe and the actual
sandbox launch arguments. When --map-root-user already works natively,
the additional --map-auto flag is a safe no-op.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 rust/crates/runtime/src/sandbox.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rust/crates/runtime/src/sandbox.rs b/rust/crates/runtime/src/sandbox.rs
index 45f118a9f6..c7981b773d 100644
--- a/rust/crates/runtime/src/sandbox.rs
+++ b/rust/crates/runtime/src/sandbox.rs
@@ -223,6 +223,7 @@ pub fn build_linux_sandbox_command(
     let mut args = vec![
         "--user".to_string(),
         "--map-root-user".to_string(),
+        "--map-auto".to_string(),
         "--mount".to_string(),
         "--ipc".to_string(),
         "--pid".to_string(),
@@ -293,7 +294,7 @@ fn unshare_user_namespace_works() -> bool {
             return false;
         }
         std::process::Command::new("unshare")
-            .args(["--user", "--map-root-user", "true"])
+            .args(["--user", "--map-root-user", "--map-auto", "true"])
             .stdin(std::process::Stdio::null())
             .stdout(std::process::Stdio::null())
             .stderr(std::process::Stdio::null())

From 36d5da9fb33093a3da85ea1b883411105ca579f6 Mon Sep 17 00:00:00 2001
From: Einspanner123 <59049154+Einspanner123@users.noreply.github.com>
Date: Sun, 10 May 2026 16:53:04 +0800
Subject: [PATCH 2/2] fix(sandbox): use is_ok_and instead of map+unwrap_or for
 clippy

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 rust/crates/runtime/src/sandbox.rs | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rust/crates/runtime/src/sandbox.rs b/rust/crates/runtime/src/sandbox.rs
index c7981b773d..91dcdcd8e3 100644
--- a/rust/crates/runtime/src/sandbox.rs
+++ b/rust/crates/runtime/src/sandbox.rs
@@ -299,8 +299,7 @@ fn unshare_user_namespace_works() -> bool {
             .stdout(std::process::Stdio::null())
             .stderr(std::process::Stdio::null())
             .status()
-            .map(|s| s.success())
-            .unwrap_or(false)
+            .is_ok_and(|s| s.success())
     })
 }