Set up /var/empty and allow userns Future changes will allow crosvm/cuttlefish to run inside the image, so set up /var/empty and allow any user to create user namespaces to allow minijail sandboxing to work properly. Change-Id: I76dca567cfa2903c545194c197304508472df9c1

commit: dd55ba545b5dfd3d1b8ea6963b55c8f3cc738c96 [log] [tgz]
author: Alistair Delva <adelva@google.com> Fri Apr 09 13:03:06 2021 -0700
committer: Alistair Delva <adelva@google.com> Tue Jun 29 18:19:09 2021 +0000
tree: 2e24a52e7d9a4070a18f5683812ed4b4eb621cb6
parent: d69c1589d555f73b52c820eb5a4d02cc841a8dd0 [diff]
diff --git a/net/test/rootfs/stage2.sh b/net/test/rootfs/stage2.sh
index 4fbd15e..bb35b78 100755
--- a/net/test/rootfs/stage2.sh
+++ b/net/test/rootfs/stage2.sh

@@ -43,6 +43,12 @@
 echo "127.0.1.1       debian" >>/etc/hosts
 echo debian >/etc/hostname
 
+# Support chroot jailing with minijail
+cat >/etc/sysctl.d/80-nsjail.conf <<EOF
+kernel.unprivileged_userns_clone=1
+EOF
+mkdir -p /var/empty
+
 # Clean up any other junk created by the imaging process
 rm -rf /root/stage2.sh /tmp/*
 find /var/log -type f -exec rm -f '{}' ';'
commit	dd55ba545b5dfd3d1b8ea6963b55c8f3cc738c96	[log] [tgz]
author	Alistair Delva <adelva@google.com>	Fri Apr 09 13:03:06 2021 -0700
committer	Alistair Delva <adelva@google.com>	Tue Jun 29 18:19:09 2021 +0000
tree	2e24a52e7d9a4070a18f5683812ed4b4eb621cb6
parent	d69c1589d555f73b52c820eb5a4d02cc841a8dd0 [diff]