new[ug]idmap: not require CAP_SYS_ADMIN in the parent userNS

if the euid!=owner of the userns, the kernel returns EPERM when trying
to write the uidmap and there is no CAP_SYS_ADMIN in the parent
namespace.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

src/Makefile.am

@@ -86,8 +86,8 @@ LIBCRYPT_NOPAM = $(LIBCRYPT)
 endif
 
 chage_LDADD    = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
-newuidmap_LDADD    = $(LDADD) $(LIBSELINUX)
-newgidmap_LDADD    = $(LDADD) $(LIBSELINUX)
+newuidmap_LDADD    = $(LDADD) $(LIBSELINUX) $(LIBCAP)
+newgidmap_LDADD    = $(LDADD) $(LIBSELINUX) $(LIBCAP)
 chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
 chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
 chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)

src/newgidmap.c

@@ -250,7 +250,7 @@ int main(int argc, char **argv)
 	verify_ranges(pw, ranges, mappings, &allow_setgroups);
 
 	write_setgroups(proc_dir_fd, allow_setgroups);
-	write_mapping(proc_dir_fd, ranges, mappings, "gid_map");
+	write_mapping(proc_dir_fd, ranges, mappings, "gid_map", pw->pw_uid);
 	sub_gid_close();
 
 	return EXIT_SUCCESS;

src/newuidmap.c

@@ -179,7 +179,7 @@ int main(int argc, char **argv)
 
 	verify_ranges(pw, ranges, mappings);
 
-	write_mapping(proc_dir_fd, ranges, mappings, "uid_map");
+	write_mapping(proc_dir_fd, ranges, mappings, "uid_map", pw->pw_uid);
 	sub_uid_close();
 
 	return EXIT_SUCCESS;