From 2a62441b69fc941b8ab56d3a8decf4a1fa66c536 Mon Sep 17 00:00:00 2001
From: Einspanner123 <59049154+Einspanner123@users.noreply.github.com>
Date: Sun, 10 May 2026 16:37:16 +0800
Subject: [PATCH 1/2] fix(sandbox): add --map-auto flag for unshare commands

On systems where `unshare --map-root-user` alone fails because uid_map
direct writes are blocked by the kernel (observed on util-linux 2.39.3
with non-root users), adding `--map-auto` lets unshare use the newuidmap
SUID helper with /etc/subuid delegations to set up the mapping.

This affects both the user-namespace detection probe and the actual
sandbox launch arguments. When --map-root-user already works natively,
the additional --map-auto flag is a safe no-op.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 rust/crates/runtime/src/sandbox.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rust/crates/runtime/src/sandbox.rs b/rust/crates/runtime/src/sandbox.rs
index 2df08791e3..0bf3a7ed87 100644
--- a/rust/crates/runtime/src/sandbox.rs
+++ b/rust/crates/runtime/src/sandbox.rs
@@ -223,6 +223,7 @@ pub fn build_linux_sandbox_command(
     let mut args = vec![
         "--user".to_string(),
         "--map-root-user".to_string(),
+        "--map-auto".to_string(),
         "--mount".to_string(),
         "--ipc".to_string(),
         "--pid".to_string(),
@@ -293,7 +294,7 @@ fn unshare_user_namespace_works() -> bool {
             return false;
         }
         std::process::Command::new("unshare")
-            .args(["--user", "--map-root-user", "true"])
+            .args(["--user", "--map-root-user", "--map-auto", "true"])
             .stdin(std::process::Stdio::null())
             .stdout(std::process::Stdio::null())
             .stderr(std::process::Stdio::null())

From 9e63766b2f9ffe4a72b77c60b870fe9cad1f125d Mon Sep 17 00:00:00 2001
From: Einspanner123 <59049154+Einspanner123@users.noreply.github.com>
Date: Sun, 10 May 2026 16:53:04 +0800
Subject: [PATCH 2/2] fix(sandbox): use is_ok_and instead of map+unwrap_or for
 clippy

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 rust/crates/runtime/src/sandbox.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rust/crates/runtime/src/sandbox.rs b/rust/crates/runtime/src/sandbox.rs
index 0bf3a7ed87..91dcdcd8e3 100644
--- a/rust/crates/runtime/src/sandbox.rs
+++ b/rust/crates/runtime/src/sandbox.rs
@@ -299,7 +299,7 @@ fn unshare_user_namespace_works() -> bool {
             .stdout(std::process::Stdio::null())
             .stderr(std::process::Stdio::null())
             .status()
-            .is_ok_and(|status| status.success())
+            .is_ok_and(|s| s.success())
     })
 }