I have a legacy application that uses sudo to launch some processes, but it doesn't work under gVisor:
$ sudo -i
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
Similarly, when I try to use sudo in a Docker container with the runsc runtime, I get:
foo@101622c9843b:/$ sudo -i
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
foo@101622c9843b:/$ ls -lh /usr/bin/sudo
-rwxr-xr-x 1 root root 163K Jul 15 00:17 /usr/bin/sudo
Poking around the gVisor codebase does suggest that there's some special handling around setuid, but I'm not familiar enough with gVisor or Linux kernel internals to really know what's happening.
Is it possible to get around this (e.g., some flag to allow setuid to work as expected within the container)?