runsc/bwrap: Add hostname flag in bwrap alias

.buildkite/pipeline.yaml

@@ -592,6 +592,14 @@ steps:
       <<: *platform_specific_agents
       arch: "amd64"
 
+  # Bwrap tests.
+  - <<: *common
+    <<: *docker
+    label: ":package: bwrap tests"
+    command: make bwrap-tests
+    agents:
+      arch: "amd64"
+
   # Runtime tests (goferfs). Continuous only.
   - <<: *common
     <<: *docker

Makefile

@@ -464,6 +464,10 @@ nftables-syscall-runc-tests: load-nftables
 	@$(call build_paths,//test/syscalls/linux:socket_netlink_netfilter_test,docker run $(DOCKER_RUN_OPTIONS) --user 0:0 --runtime runc --rm gvisor.dev/images/nftables {})
 .PHONY: nftables-syscall-runc-tests
 
+bwrap-tests: ## Run bwrap integration tests.
+	@$(call test,//runsc/cmd/alias/bwrap:bwrap_integration_test)
+.PHONY: bwrap-tests
+
 packetdrill-tests: load-packetdrill $(RUNTIME_BIN)
 	@$(call install_runtime,$(RUNTIME),) # Clear flags.
 	@$(call test_runtime,$(RUNTIME),//test/packetdrill:all_tests)

runsc/cmd/alias/bwrap/BUILD

@@ -37,3 +37,20 @@ go_test(
         "@com_github_opencontainers_runtime_spec//specs-go:go_default_library",
     ],
 )
+
+go_test(
+    name = "bwrap_integration_test",
+    srcs = ["bwrap_integration_test.go"],
+    data = [
+        "//runsc",
+    ],
+    library = ":bwrap",
+    tags = [
+        "local",
+        "manual",
+    ],
+    deps = [
+        "//pkg/test/testutil",
+        "//runsc/specutils",
+    ],
+)

runsc/cmd/alias/bwrap/bwrap.go

@@ -169,6 +169,12 @@ type bwrapConfig struct {
 	Chdir        string
 	WorkspaceDir string
 	runscConfig  *config.Config
+	Env          []string
+	ClearEnv     bool
+	UID          int
+	GID          int
+	UnshareUser  bool
+	Hostname     string
 }
 
 // String returns a string representation of the bwrapConfig.
@@ -251,6 +257,14 @@ func (c *bwrapConfig) mapCWD() (string, error) {
 // TODO: b/508701483 - Use the causeway library when it is ready
 // and update this function.
 func (c *bwrapConfig) buildRunscSpec() (*specs.Spec, error) {
+	if c.UID != -1 && !c.UnshareUser {
+		return nil, fmt.Errorf("bwrap: Specifying --uid requires --unshare-user")
+	}
+
+	if c.GID != -1 && !c.UnshareUser {
+		return nil, fmt.Errorf("bwrap: Specifying --gid requires --unshare-user")
+	}
+
 	spec := &specs.Spec{}
 	// Find what the current working directory should be in the sandbox.
 	cwd, err := c.mapCWD()
@@ -260,10 +274,45 @@ func (c *bwrapConfig) buildRunscSpec() (*specs.Spec, error) {
 	spec.Process = &specs.Process{
 		Cwd:          cwd,
 		Args:         c.Args,
-		Env:          os.Environ(),
+		Env:          c.Env,
 		Capabilities: specutils.AllCapabilities(),
 	}
 
+	targetUID := os.Getuid()
+	if c.UID != -1 {
+		targetUID = c.UID
+	}
+	targetGID := os.Getgid()
+	if c.GID != -1 {
+		targetGID = c.GID
+	}
+
+	if c.UnshareUser {
+		spec.Process.User = specs.User{
+			UID: uint32(targetUID),
+			GID: uint32(targetGID),
+		}
+		if spec.Linux == nil {
+			spec.Linux = &specs.Linux{}
+		}
+		ns := specs.LinuxNamespace{Type: specs.UserNamespace}
+		spec.Linux.UIDMappings = []specs.LinuxIDMapping{
+			{ContainerID: uint32(targetUID), HostID: uint32(os.Getuid()), Size: 1},
+		}
+		spec.Linux.GIDMappings = []specs.LinuxIDMapping{
+			{ContainerID: uint32(targetGID), HostID: uint32(os.Getgid()), Size: 1},
+		}
+		spec.Linux.Namespaces = append(spec.Linux.Namespaces, ns)
+	} else if c.UID != -1 || c.GID != -1 {
+		spec.Process.User = specs.User{}
+		if c.UID != -1 {
+			spec.Process.User.UID = uint32(c.UID)
+		}
+		if c.GID != -1 {
+			spec.Process.User.GID = uint32(c.GID)
+		}
+	}
+
 	rootMount, rootMountPresent := c.getRootMount()
 	if rootMountPresent {
 		// If a root mount is specified, use it as the root.
@@ -337,6 +386,10 @@ func (c *bwrapConfig) buildRunscSpec() (*specs.Spec, error) {
 		}
 	}
 
+	if c.Hostname != "" {
+		spec.Hostname = c.Hostname
+	}
+
 	// TODO: b/508701483 - Fix support for network args.
 	if c.UnshareNet {
 		if spec.Linux == nil {