bug#35662: Really relocatable binaries crash with Permission denied

[pelzflorian (Florian Pelz)]

The manual gives the following example of guix pack -RR:

      guix pack -RR -S /mybin=bin bash
      tar xf pack.tar.gz
      ./mybin/sh

This fails on my university’s server for students which uses Linux
container “VMs” with Ubuntu and has no user namespace support and Guix
is not installed.  This single line is all output:

$ ./mybin/sh
sh: run.c:162: bind_mount: Unexpected error: Permission denied.

Note that

PROOT_NO_SECCOMP=1 
~/gnu/store/iyd2ikxadcp89j5919pwja6swnx00493-proot-static-5.1.0/bin/proot -w 
$(pwd | sed 's/${HOME}//') -r ${HOME} -b /proc /mybin/sh

works just fine (inspired by
<https://guix-hpc.bordeaux.inria.fr/blog/2017/10/using-guix-without-being-root/>).

For testing purposes, I compile the wrapper
gnu/packages/aux-files/run-in-namespace.c:

sed -i 's|@STORE_DIRECTORY@|/gnu/store|g' run-in-namespace.c
sed -i 's|@WRAPPED_PROGRAM@|/mybin/sh|g' run-in-namespace.c
gcc -std=gnu99 -static -O0 -g -Wall run-in-namespace.c
scp run-in-namespace.c a.out … # upload it to the university server
ssh …
gdb a.out
[…]
(gdb) break main
Breakpoint 1 at 0x401ea1: file run-in-namespace.c, line 260.
(gdb) run
Starting program: /home/f_pelz12/a.out 

Breakpoint 1, main (argc=1, argv=0x7fffffffe818) at run-in-namespace.c:260
260       size = readlink ("/proc/self/exe", self, sizeof self - 1);
(gdb) next
261       assert (size > 0);
(gdb) 
265       size_t index = strlen (self)
(gdb) 
268       char *store = strdup (self);
(gdb) 
269       store[index] = '\0';
(gdb) 
277       if (strcmp (store, "/gnu/store") != 0
(gdb) 
278           && lstat ("/mybin/sh", &statbuf) != 0)
(gdb) 
283           char *new_root = mkdtemp (strdup ("/tmp/guix-exec-XXXXXX"));
(gdb) 
284           char *new_store = concat (new_root, "/gnu/store");
(gdb) 
285           char *cwd = get_current_dir_name ();
(gdb) 
292           pid_t child = syscall (SYS_clone, SIGCHLD | CLONE_NEWNS | 
CLONE_NEWUSER,
(gdb) 
[Detaching after fork from child process 12748]
294           switch (child)
(gdb) a.out: run-in-namespace.c:162: bind_mount: Unexpected error: Permission 
denied.

337                 disallow_setgroups (child);
(gdb) 
a.out: run-in-namespace.c:205: disallow_setgroups: Unexpected error: Permission 
denied.

Program received signal SIGABRT, Aborted.
0x000000000040796f in raise ()

I do not know how to break into the detached child’s bind_mount call,
so I am unable to give details on this bind_mount error (I do not know
if the bind_mount really is the cause of the crash; it is futile
anyway and the binary should just try proot after all and not crash
before).  A breakpoint from `break bind_mount` is ignored.  Can I get
more information out of this somehow?

For completeness:
$ uname -a
Linux tux6 4.15.18-14-pve #1 SMP PVE 4.15.18-38 (Tue, 30 Apr 2019 10:51:33 
+0200) x86_64 x86_64 x86_64 GNU/Linux

Regards,
Florian