[antlir2][image_command_alias] variant that does not require actual userns unshare

Summary:
Add a flag that allows running in a userns with only `root:root` mapped (to the
unprivileged outer user).
This is always allowed and does not depend on a working installation of
`new(ug)idmap` in the environment.

Test Plan: See next diff

Reviewed By: CookieComputing

Differential Revision: D83083848

fbshipit-source-id: abeb64ccf88a2f2d714c9989302759ddf20a29d7

Author: vmagro

antlir/antlir2/image_command_alias/BUCK

@@ -9,6 +9,7 @@ rust_binary(
     deps = [
         "anyhow",
         "clap",
+        "nix",
         "tracing",
         "tracing-subscriber",
         "//antlir/antlir2/antlir2_isolate:antlir2_isolate",

antlir/antlir2/image_command_alias/image_command_alias.bzl

@@ -20,6 +20,7 @@ def _impl(ctx: AnalysisContext) -> list[Provider] | Promise:
         cmd_args(root, format = "--root={}"),
         cmd_args(env_json, format = "--env={}") if env_json else cmd_args(),
         cmd_args(ctx.attrs.pass_env, format = "--pass-env={}"),
+        "--single-user-userns" if ctx.attrs.single_user_userns else cmd_args(),
         "--",
         ctx.attrs.exe,
         cmd_args(ctx.attrs.args),
@@ -57,6 +58,14 @@ _image_command_alias = rule(
         "labels": attrs.list(attrs.string(), default = []),
         "pass_env": attrs.list(attrs.string(), default = []),
         "root": attrs.source(allow_directory = True),
+        "single_user_userns": attrs.bool(
+            default = False,
+            doc = """
+                If set, don't unshare into a fully remapped antlir userns, just
+                unshare and map the current (ug)id to root and hope that it's
+                good enough for what we're going to do (it usually is)
+            """,
+        ),
         "_command_alias": attrs.default_only(attrs.exec_dep(default = "antlir//antlir/antlir2/image_command_alias:command_alias")),
     } | cfg_attrs(),
     cfg = layer_cfg,

antlir/antlir2/image_command_alias/src/main.rs

@@ -20,6 +20,8 @@ use anyhow::Result;
 use anyhow::ensure;
 use clap::Parser;
 use json_arg::JsonFile;
+use nix::unistd::Gid;
+use nix::unistd::Uid;
 
 #[derive(Debug, Parser)]
 struct Args {
@@ -31,6 +33,11 @@ struct Args {
     env: Option<JsonFile<BTreeMap<String, Vec<String>>>>,
     #[clap(required(true), trailing_var_arg(true), allow_hyphen_values(true))]
     command: Vec<String>,
+    #[clap(long)]
+    /// If set, don't unshare into a fully remapped antlir userns, just unshare
+    /// and map the current (ug)id to root and hope that it's good enough for
+    /// what we're going to do (it usually is)
+    single_user_userns: bool,
 }
 
 fn main() -> Result<()> {
@@ -40,7 +47,21 @@ fn main() -> Result<()> {
         .with_max_level(tracing::Level::TRACE)
         .init();
 
-    antlir2_rootless::unshare_new_userns().context("while setting up userns")?;
+    if !args.single_user_userns {
+        antlir2_rootless::unshare_new_userns().context("while setting up userns")?;
+    } else {
+        let uid = Uid::current();
+        let gid = Gid::current();
+        nix::sched::unshare(nix::sched::CloneFlags::CLONE_NEWUSER)
+            .context("while unsharing into new userns")?;
+        std::fs::write("/proc/self/uid_map", format!("0 {uid} 1\n"))
+            .context("while writing uid_map")?;
+        nix::unistd::setuid(Uid::from_raw(0)).context("while setting uid to 0")?;
+        std::fs::write("/proc/self/setgroups", "deny\n").context("while writing setgroups")?;
+        std::fs::write("/proc/self/gid_map", format!("0 {gid} 1\n"))
+            .context("while writing gid_map")?;
+        nix::unistd::setgid(Gid::from_raw(0)).context("while setting gid to 0")?;
+    }
 
     let mut builder = IsolationContext::builder(&args.root);
     builder.ephemeral(true);