As pointed out by Stephen Röttger <sroettger@google.com>, in
drop_privs() we only drop root in the setuid case if geteuid() is
0. Typically geteuid() == 0 means we were setuid root and have not yet
switched away from it.
However, it is possible to make the geteuid call fail by passing a
--userns2 namespace which doesn't have 0 mapped (i.e. where geteuid()
will return the owerflow uid instead).
If you do this, the pid 1 process in the sandbox will continue running
as host uid 0, while dropping the dumpable flag, and at this point the
user can ptrace attach the process and have root permissions.
We fix this by not relying on the geteuid() call to know when we need
to drop root uid, but rather keep track of whether we already switched
from it.
Gbp-Pq: Name CVE-2020-5291.patch
Alexander Larsson