← Back to team overview

kernel-packages team mailing list archive

[Bug 1567558] Re: ZFS is confused by user namespaces (uid/gid mapping) when used with acltype=posixac

 

This bug was fixed in the package linux - 4.4.0-23.41

---------------
linux (4.4.0-23.41) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1582431

  * zfs: disable module checks for zfs when cross-compiling (LP: #1581127)
    - [Packaging] disable zfs module checks when cross-compiling

  * Xenial update to v4.4.10 stable release (LP: #1580754)
    - Revert "UBUNTU: SAUCE: (no-up) ACPICA: Dispatcher: Update thread ID for
      recursive method calls"
    - Revert "UBUNTU: SAUCE: nbd: ratelimit error msgs after socket close"
    - Revert: "powerpc/tm: Check for already reclaimed tasks"
    - RDMA/iw_cxgb4: Fix bar2 virt addr calculation for T4 chips
    - ipvs: handle ip_vs_fill_iph_skb_off failure
    - ipvs: correct initial offset of Call-ID header search in SIP persistence
      engine
    - ipvs: drop first packet to redirect conntrack
    - mfd: intel-lpss: Remove clock tree on error path
    - nbd: ratelimit error msgs after socket close
    - ata: ahci_xgene: dereferencing uninitialized pointer in probe
    - mwifiex: fix corner case association failure
    - CNS3xxx: Fix PCI cns3xxx_write_config()
    - clk-divider: make sure read-only dividers do not write to their register
    - soc: rockchip: power-domain: fix err handle while probing
    - clk: rockchip: free memory in error cases when registering clock branches
    - clk: meson: Fix meson_clk_register_clks() signature type mismatch
    - clk: qcom: msm8960: fix ce3_core clk enable register
    - clk: versatile: sp810: support reentrance
    - clk: qcom: msm8960: Fix ce3_src register offset
    - lpfc: fix misleading indentation
    - ath9k: ar5008_hw_cmn_spur_mitigate: add missing mask_m & mask_p
      initialisation
    - mac80211: fix statistics leak if dev_alloc_name() fails
    - tracing: Don't display trigger file for events that can't be enabled
    - MD: make bio mergeable
    - Minimal fix-up of bad hashing behavior of hash_64()
    - mm, cma: prevent nr_isolated_* counters from going negative
    - mm/zswap: provide unique zpool name
    - ARM: EXYNOS: Properly skip unitialized parent clock in power domain on
    - ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel
    - xen: Fix page <-> pfn conversion on 32 bit systems
    - xen/balloon: Fix crash when ballooning on x86 32 bit PAE
    - xen/evtchn: fix ring resize when binding new events
    - HID: wacom: Add support for DTK-1651
    - HID: Fix boot delay for Creative SB Omni Surround 5.1 with quirk
    - Input: zforce_ts - fix dual touch recognition
    - proc: prevent accessing /proc/<PID>/environ until it's ready
    - mm: update min_free_kbytes from khugepaged after core initialization
    - batman-adv: fix DAT candidate selection (must use vid)
    - batman-adv: Check skb size before using encapsulated ETH+VLAN header
    - batman-adv: Fix broadcast/ogm queue limit on a removed interface
    - batman-adv: Reduce refcnt of removed router when updating route
    - writeback: Fix performance regression in wb_over_bg_thresh()
    - MAINTAINERS: Remove asterisk from EFI directory names
    - x86/tsc: Read all ratio bits from MSR_PLATFORM_INFO
    - ARM: cpuidle: Pass on arm_cpuidle_suspend()'s return value
    - ARC: Add missing io barriers to io{read,write}{16,32}be()
    - x86/sysfb_efi: Fix valid BAR address range check
    - ACPICA: Dispatcher: Update thread ID for recursive method calls
    - powerpc: Fix bad inline asm constraint in create_zero_mask()
    - libahci: save port map for forced port map
    - ata: ahci-platform: Add ports-implemented DT bindings.
    - USB: serial: cp210x: add ID for Link ECU
    - USB: serial: cp210x: add Straizona Focusers device ids
    - nvmem: mxs-ocotp: fix buffer overflow in read
    - gpu: ipu-v3: Fix imx-ipuv3-crtc module autoloading
    - drm/amdgpu: make sure vertical front porch is at least 1
    - drm/amdgpu: set metadata pointer to NULL after freeing.
    - iio: ak8975: Fix NULL pointer exception on early interrupt
    - iio: ak8975: fix maybe-uninitialized warning
    - drm/radeon: make sure vertical front porch is at least 1
    - drm/i915/ddi: Fix eDP VDD handling during booting and suspend/resume
    - drm/i915: Fix eDP low vswing for Broadwell
    - drm/i915: Make RPS EI/thresholds multiple of 25 on SNB-BDW
    - drm/i915: Fake HDMI live status
    - lib/test-string_helpers.c: fix and improve string_get_size() tests
    - drm/i915/skl: Fix DMC load on Skylake J0 and K0
    - Linux 4.4.10

  * HDMI audio playback noise  observed on AMD Polaris 10/11 GPU (LP: #1577288)
    - ALSA: hda: add AMD Polaris-10/11 AZ PCI IDs with proper driver caps

  * [i915_bpo] Update i915 backport driver (LP: #1580114)
    - SAUCE: i915_bpo: Drop is_preliminary from BXT/KBL.
    - SAUCE: i915_bpo: Sync with v4.6-rc7

  * CVE-2016-4486 (LP: #1578497)
    - net: fix infoleak in rtnetlink

  * CVE-2016-4485 (LP: #1578496)
    - net: fix infoleak in llc

  * drm.ko < kernel version 4.5 has a dead lock bug (LP: #1579610)
    - drm: Balance error path for GEM handle allocation

  * Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong not
    supported by compiler (LP: #1574982)
    - SAUCE: (no-up) disable -pie when gcc has it enabled by default

  * system freeze after vt switching (LP: #1542939)
    - drm/atomic: Add __drm_atomic_helper_connector_reset, v2.
    - drm/atomic: Remove drm_atomic_connectors_for_crtc.

  * CVE-2016-4558 (LP: #1579140)
    - bpf: fix refcnt overflow

  * Kernel Panic on EC2 After Upgrading from 14.04 to 16.04 via do-release-
    upgrade -d (LP: #1573231)
    - SAUCE: (no-up) x86/topology: Handle CPUID bogosity gracefully

  * PCI Call Traces  hw csum failure in dmesg with  4.4.0-2-generic
    (LP: #1544978)
    - net/mlx4_en: Fix endianness bug in IPV6 csum calculation

  * Missing libunwind support in perf (LP: #1248289)
    - [Config] Add liblzma-dev to enable libunwind support in perf

  * thunderbolt hotplug is broken (LP: #1577898)
    - SAUCE: (no-up) ACPICA: Dispatcher: Update thread ID for recursive method
      calls

  * Kernel can be oopsed using remap_file_pages (LP: #1558120)
    - SAUCE: mm/mmap: fix oopsing on remap_file_pages

  * ZFS is confused by user namespaces (uid/gid mapping) when used with
    acltype=posixac (LP: #1567558)
    - zfs: Fix user namespaces uid/gid mapping

  * oops when propagating mounts into containers - RIP:
    0010:[<ffffffff8123cb3e>] [<ffffffff8123cb3e>] propagate_one+0xbe/0x1c0
    (LP: #1572316)
    - fs/pnode.c: treat zero mnt_group_id-s as unequal
    - propogate_mnt: Handle the first propogated copy being a slave

  * OOPS on wily+ for Haswell-ULT and Broadwell (LP: #1577748)
    - PNP: Add Broadwell to Intel MCH size workaround
    - PNP: Add Haswell-ULT to Intel MCH size workaround

  * Xenial update to v4.4.9 stable release (LP: #1578798)
    - block: loop: fix filesystem corruption in case of aio/dio
    - x86/mce: Avoid using object after free in genpool
    - kvm: x86: do not leak guest xcr0 into host interrupt handlers
    - ARM: dts: AM43x-epos: Fix clk parent for synctimer
    - ARM: mvebu: Correct unit address for linksys
    - ARM: OMAP2: Fix up interconnect barrier initialization for DRA7
    - ARM: OMAP2+: hwmod: Fix updating of sysconfig register
    - assoc_array: don't call compare_object() on a node
    - usb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host
    - xhci: resume USB 3 roothub first
    - usb: xhci: fix wild pointers in xhci_mem_cleanup
    - xhci: fix 10 second timeout on removal of PCI hotpluggable xhci controllers
    - usb: hcd: out of bounds access in for_each_companion
    - usb: gadget: f_fs: Fix use-after-free
    - dm cache metadata: fix READ_LOCK macros and cleanup WRITE_LOCK macros
    - dm cache metadata: fix cmd_read_lock() acquiring write lock
    - lib: lz4: fixed zram with lz4 on big endian machines
    - debugfs: Make automount point inodes permanently empty
    - dmaengine: dw: fix master selection
    - dmaengine: hsu: correct use of channel status register
    - dmaengine: pxa_dma: fix the maximum requestor line
    - sched/cgroup: Fix/cleanup cgroup teardown/init
    - x86/mm/xen: Suppress hugetlbfs in PV guests
    - x86 EDAC, sb_edac.c: Repair damage introduced when "fixing" channel address
    - ALSA: hda - Don't trust the reported actual power state
    - ALSA: hda/realtek - Add ALC3234 headset mode for Optiplex 9020m
    - ALSA: hda - Keep powering up ADCs on Cirrus codecs
    - ALSA: hda - add PCI ID for Intel Broxton-T
    - ALSA: pcxhr: Fix missing mutex unlock
    - ALSA: hda - Add dock support for ThinkPad X260
    - asm-generic/futex: Re-enable preemption in futex_atomic_cmpxchg_inatomic()
    - futex: Handle unlock_pi race gracefully
    - futex: Acknowledge a new waiter in counter before plist
    - drm/nouveau/core: use vzalloc for allocating ramht
    - drm/qxl: fix cursor position with non-zero hotspot
    - drm/i915: Fix race condition in intel_dp_destroy_mst_connector()
    - Revert "drm/radeon: disable runtime pm on PX laptops without dGPU power
      control"
    - Revert "drm/amdgpu: disable runtime pm on PX laptops without dGPU power
      control"
    - cpufreq: intel_pstate: Fix processing for turbo activation ratio
    - iwlwifi: pcie: lower the debug level for RSA semaphore access
    - iwlwifi: mvm: fix memory leak in paging
    - crypto: ccp - Prevent information leakage on export
    - crypto: sha1-mb - use corrcet pointer while completing jobs
    - crypto: talitos - fix crash in talitos_cra_init()
    - crypto: talitos - fix AEAD tcrypt tests
    - powerpc: scan_features() updates incorrect bits for REAL_LE
    - powerpc: Update cpu_user_features2 in scan_features()
    - powerpc: Update TM user feature bits in scan_features()
    - nl80211: check netlink protocol in socket release notification
    - netlink: don't send NETLINK_URELEASE for unbound sockets
    - Input: pmic8xxx-pwrkey - fix algorithm for converting trigger delay
    - xen kconfig: don't "select INPUT_XEN_KBDDEV_FRONTEND"
    - pinctrl: mediatek: correct debounce time unit in mtk_gpio_set_debounce
    - pinctrl: single: Fix pcs_parse_bits_in_pinctrl_entry to use __ffs than ffs
    - iommu/amd: Fix checking of pci dma aliases
    - iommu/dma: Restore scatterlist offsets correctly
    - drm/amdgpu: when suspending, if uvd/vce was running. need to cancel delay
      work.
    - drm/amdgpu: use defines for CRTCs and AMFT blocks
    - drm/amdgpu: bump the afmt limit for CZ, ST, Polaris
    - amdgpu/uvd: add uvd fw version for amdgpu
    - drm/amdgpu: fix regression on CIK (v2)
    - drm/radeon: add a quirk for a XFX R9 270X
    - drm/radeon: fix initial connector audio value
    - drm/radeon: forbid mapping of userptr bo through radeon device file
    - drm/radeon: fix vertical bars appear on monitor (v2)
    - drm: Loongson-3 doesn't fully support wc memory
    - drm/nouveau/gr/gf100: select a stream master to fixup tfb offset queries
    - drm/dp/mst: Validate port in drm_dp_payload_send_msg()
    - drm/dp/mst: Restore primary hub guid on resume
    - drm/dp/mst: Get validated port ref in drm_dp_update_payload_part1()
    - pwm: brcmstb: Fix check of devm_ioremap_resource() return code
    - drm/i915: Cleanup phys status page too
    - drm/i915: skl_update_scaler() wants a rotation bitmask instead of bit number
    - drm/amdkfd: uninitialized variable in dbgdev_wave_control_set_registers()
    - drm/i915: Fixup the free space logic in ring_prepare
    - drm/i915: Use fw_domains_put_with_fifo() on HSW
    - perf intel-pt: Fix segfault tracing transactions
    - i2c: cpm: Fix build break due to incompatible pointer types
    - i2c: exynos5: Fix possible ABBA deadlock by keeping I2C clock prepared
    - toshiba_acpi: Fix regression caused by hotkey enabling value
    - EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback
    - ASoC: s3c24xx: use const snd_soc_component_driver pointer
    - ASoC: ssm4567: Reset device before regcache_sync()
    - ASoC: dapm: Make sure we have a card when displaying component widgets
    - ASoC: rt5640: Correct the digital interface data select
    - vb2-memops: Fix over allocation of frame vectors
    - v4l2-dv-timings.h: fix polarity for 4k formats
    - cxl: Keep IRQ mappings on context teardown
    - IB/mlx5: Expose correct max_sge_rd limit
    - IB/security: Restrict use of the write() interface
    - efi: Fix out-of-bounds read in variable_matches()
    - efi: Expose non-blocking set_variable() wrapper to efivars
    - x86/apic: Handle zero vector gracefully in clear_vector_irq()
    - workqueue: fix ghost PENDING flag while doing MQ IO
    - slub: clean up code for kmem cgroup support to kmem_cache_free_bulk
    - cgroup, cpuset: replace cpuset_post_attach_flush() with
      cgroup_subsys->post_attach callback
    - memcg: relocate charge moving from ->attach to ->post_attach
    - mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check
    - numa: fix /proc/<pid>/numa_maps for THP
    - mm: vmscan: reclaim highmem zone if buffer_heads is over limit
    - mm/hwpoison: fix wrong num_poisoned_pages accounting
    - cgroup: make sure a parent css isn't freed before its children
    - videobuf2-core: Check user space planes array in dqbuf
    - videobuf2-v4l2: Verify planes array in buffer dequeueing
    - Revert "regulator: core: Fix nested locking of supplies"
    - regulator: core: fix regulator_lock_supply regression
    - regulator: core: Ensure we lock all regulators
    - regulator: core: Fix nested locking of supplies
    - locking/mcs: Fix mcs_spin_lock() ordering
    - spi/rockchip: Make sure spi clk is on in rockchip_spi_set_cs
    - irqchip/sunxi-nmi: Fix error check of of_io_request_and_map()
    - irqchip/mxs: Fix error check of of_io_request_and_map()
    - regulator: s5m8767: fix get_register() error handling
    - paride: make 'verbose' parameter an 'int' again
    - scsi_dh: force modular build if SCSI is a module
    - fbdev: da8xx-fb: fix videomodes of lcd panels
    - misc/bmp085: Enable building as a module
    - misc: mic/scif: fix wrap around tests
    - PM / OPP: Initialize u_volt_min/max to a valid value
    - PM / Domains: Fix removal of a subdomain
    - rtc: hym8563: fix invalid year calculation
    - rtc: vr41xx: Wire up alarm_irq_enable
    - rtc: ds1685: passing bogus values to irq_restore
    - rtc: rx8025: remove rv8803 id
    - rtc: max77686: Properly handle regmap_irq_get_virq() error code
    - drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors
    - perf evlist: Reference count the cpu and thread maps at set_maps()
    - x86/mm/kmmio: Fix mmiotrace for hugepages
    - ext4: fix NULL pointer dereference in ext4_mark_inode_dirty()
    - serial: sh-sci: Remove cpufreq notifier to fix crash/deadlock
    - mtd: spi-nor: remove micron_quad_enable()
    - mtd: brcmnand: Fix v7.1 register offsets
    - mtd: nand: Drop mtd.owner requirement in nand_scan
    - perf hists browser: Only offer symbol scripting when a symbol is under the
      cursor
    - perf tools: handle spaces in file names obtained from /proc/pid/maps
    - perf stat: Document --detailed option
    - ext4: fix races between page faults and hole punching
    - ext4: move unlocked dio protection from ext4_alloc_file_blocks()
    - ext4: fix races between buffered IO and collapse / insert range
    - ext4: fix races of writeback with punch hole and zero range
    - ARM: OMAP3: Add cpuidle parameters table for omap3430
    - ARM: prima2: always enable reset controller
    - ARM: EXYNOS: select THERMAL_OF
    - ARM: dts: armada-375: use armada-370-sata for SATA
    - ARM: dts: pxa: fix dma engine node to pxa3xx-nand
    - bus: imx-weim: Take the 'status' property value into account
    - jme: Do not enable NIC WoL functions on S0
    - jme: Fix device PM wakeup API usage
    - unbreak allmodconfig KCONFIG_ALLCONFIG=...
    - thermal: rockchip: fix a impossible condition caused by the warning
    - sunrpc/cache: drop reference when sunrpc_cache_pipe_upcall() detects a race
    - megaraid_sas: add missing curly braces in ioctl handler
    - stm class: Select CONFIG_SRCU
    - extcon: max77843: Use correct size for reading the interrupt register
    - Linux 4.4.9

  * Stoney powerplay support (LP: #1578305)
    - amdgpu/powerplay: Add Stoney to list of early init cases

  * CVE-2016-2117 (LP: #1561403)
    - atl2: Disable unimplemented scatter/gather feature

  * CVE-2016-2187 (LP: #1575706)
    - Input: gtco - fix crash on detecting device without endpoints

  * zfs posix default permissions lost on reboot or unmount (LP: #1574801)
    - Fix ZPL miswrite of default POSIX ACL

  * WARNING: at /build/linux-aWXT0l/linux-4.4.0/drivers/pci/pci.c:1595
    [travis3EN] (LP: #1574697)
    - net/mlx4_core: Implement pci_resume callback
    - net/mlx4_core: Avoid repeated calls to pci enable/disable

  * Add support to thinkpad keyboard backlight (LP: #1574498)
    - thinkpad_acpi: Add support for keyboard backlight

  * Please enable kconfig X86_LEGACY_VM86 for i386 (LP: #1499089)
    - [Config] CONFIG_VM86=y, CONFIG_X86_LEGACY_VM86=y

  * Miscellaneous Ubuntu changes
    - updateconfigs for Linux v4.4.9

 -- Kamal Mostafa <kamal@xxxxxxxxxxxxx>  Mon, 16 May 2016 15:16:29 -0700

** Changed in: linux (Ubuntu Yakkety)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2117

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2187

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4485

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4486

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4558

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to zfs-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1567558

Title:
  ZFS is confused by user namespaces (uid/gid mapping) when used with
  acltype=posixac

Status in linux package in Ubuntu:
  Fix Released
Status in zfs-linux package in Ubuntu:
  Confirmed
Status in linux source package in Xenial:
  Fix Committed
Status in zfs-linux source package in Xenial:
  Confirmed
Status in linux source package in Yakkety:
  Fix Released
Status in zfs-linux source package in Yakkety:
  Confirmed

Bug description:
  This report is copy/paste from the following upstream issue:
  https://github.com/zfsonlinux/zfs/issues/4177

  I was asked to file a matching Ubuntu bug for tracking.

  
  Hello,

  # First a quick introduction to the world of containers

  I'm the project leader for LXC and LXD, working on containers on
  Linux. We now extensively use the user namespaces to provide an extra
  layer of security in Linux containers.

  The user namespace allows one to map a range of uid and gid from the
  host or parent namespace into another range of uid and gid of a new
  namespace.

  Typically what's done is that 65536 uids and gids are set aside per
  non-system users on the host. Those users through a couple of setuid
  helpers (newuidmap and newgidmap) can then setup a uid and gid map for
  their processes. Their 65536 allocation is therefore mapped from
  uid/gid 0 to 65536 of the new namespace, providing a POSIX-compatible
  environment.

  That means that given a user on the host with uid and gid range 100000
  through 165536, uid 100 in their container will be mapped to uid
  100100 outside of it.

  # The problem with ZFS

  When using ZFS with acltype=posixacl and an ACL entry on the host set
  for a uid (or gid) that's then mapped into the container, the
  container doesn't see the right mapped value when querying the acl
  from inside the namespace.

  # Example with zfs (broken)

  root@dakara:~# zfs create lxd/test -o mountpoint=/tmp/test
  root@dakara:~# zfs set acltype=posixacl lxd/test
  root@dakara:~# cd /tmp/test/
  root@dakara:/tmp/test# mkdir a
  root@dakara:/tmp/test# setfacl -m default:user:100100:rwX a
  root@dakara:/tmp/test# setfacl -m user:100100:rwX a
  root@dakara:/tmp/test# getfacl a
  # file: a
  # owner: root
  # group: root
  user::rwx
  user:100100:rwx
  group::r-x
  mask::rwx
  other::r-x
  default:user::rwx
  default:user:100100:rwx
  default:group::r-x
  default:mask::rwx
  default:other::r-x

  root@dakara:/tmp/test# lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- /bin/bash
  root@dakara:/tmp/test (in userns)# ls -lh
  total 512
  drwxrwxr-x+ 2 nobody nogroup 2 Jan  7 22:19 a

  root@dakara:/tmp/test (in userns)# getfacl -n a
  # file: a
  # owner: nobody
  # group: nogroup
  user::rwx
  user:4294967295:rwx
  group::r-x
  mask::rwx
  other::r-x
  default:user::rwx
  default:user:4294967295:rwx
  default:group::r-x
  default:mask::rwx
  default:other::r-x

  # Example with ext4 (working)

  root@dakara:/tmp/test.ext4# mkdir a

  root@dakara:/tmp/test.ext4# setfacl -m default:user:100100:rwX a

  root@dakara:/tmp/test.ext4# setfacl -m user:100100:rwX a

  root@dakara:/tmp/test.ext4# getfacl a
  # file: a
  # owner: root
  # group: root
  user::rwx
  user:100100:rwx
  group::r-x
  mask::rwx
  other::r-x
  default:user::rwx
  default:user:100100:rwx
  default:group::r-x
  default:mask::rwx
  default:other::r-x

  root@dakara:/tmp/test.ext4# lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- /bin/bash
  root@dakara:/tmp/test.ext4 (in userns)# ls -lh
  total 4.0K
  drwxrwxr-x+ 2 nobody nogroup 4.0K Jan  7 22:22 a

  root@dakara:/tmp/test.ext4 (in userns)# getfacl -n a
  # file: a
  # owner: 65534
  # group: 65534
  user::rwx
  user:100:rwx
  group::r-x
  mask::rwx
  other::r-x
  default:user::rwx
  default:user:100:rwx
  default:group::r-x
  default:mask::rwx
  default:other::r-x

  # Environment

  This was noticed on Ubuntu 14.04 using the zfs stable PPA. I first
  found it in production environments first with file servers
  misbehaving due to the problem, then reproduced it on my development
  systems.

  The zfs version here is 0.6.5.3-1~trusty and I've seen this on 3.13,
  3.16, 3.19 and 4.2 kernels (not that it should matter, the dkms code
  was the same). zfs-dkms is at 2.53-zfs1.

  The lxc-usernsexec helper tool I'm using there comes from the LXC
  package in Ubuntu. It essentially causes a call to fork() followed by
  a call to unshare(CLONE_NEWUSER), then calls the newuidmap and
  newgidmap setuid helpers with the provided map so that the namespace
  can be configured properly.

  You could reproduce something similar using the simple unshare tool
  and manual writes to /proc/PID/{u,g}id_map

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1567558/+subscriptions