Nsjail permission errors

When trying to use nsjail I keep getting permission errors:

For example, if I try the following command:

nsjail \
  --chroot ./root \
  -U 0:100000:65536 \
  -G 0:100000:65536 \
  --mount /nix/store \
  --rw \
  --hostname nsjail-container \
  --disable_no_new_privs \
  -- $(readlink result)/init

I get the following errors:

[I][2024-12-23T22:05:39+0200] Mount: '/proc' flags:MS_RDONLY type:'proc' options:'' dir:true
[I][2024-12-23T22:05:39+0200] Uid map: inside_uid:0 outside_uid:100000 count:65536 newuidmap:true
[I][2024-12-23T22:05:39+0200] Gid map: inside_gid:0 outside_gid:100000 count:65536 newgidmap:true
newgidmap: write to gid_map failed: Operation not permitted
[E][2024-12-23T22:05:39+0200][1484771] gidMapExternal():199 '/nix/store/cmmm1g8d3nyib4h9sy3qf9kg2ljzr789-shadow-4.16.0/bin/newgidmap' failed
[E][2024-12-23T22:05:39+0200][1484771] initParent():437 Couldn't initialize user namespace for pid=1484772
[E][2024-12-23T22:05:39+0200][1484771] standaloneMode():275 Couldn't launch the child process

I’ve tried simply calling unshare and newgidmap from the command line, and it worked. But not from nsjail.

I also tried dropping the -U and -G options, and then I got a different permission error createDirRecursively():156 openat('5', 'root', O_DIRECTORY | O_CLOEXEC): Permission denied.

What’s wrong here?