|
111
|
1 // Copyright 2015 The Go Authors. All rights reserved.
|
|
|
2 // Use of this source code is governed by a BSD-style
|
|
|
3 // license that can be found in the LICENSE file.
|
|
|
4
|
|
|
5 // +build linux
|
|
|
6
|
|
|
7 package syscall_test
|
|
|
8
|
|
|
9 import (
|
|
|
10 "flag"
|
|
|
11 "fmt"
|
|
|
12 "internal/testenv"
|
|
|
13 "io"
|
|
|
14 "io/ioutil"
|
|
|
15 "os"
|
|
|
16 "os/exec"
|
|
|
17 "os/user"
|
|
|
18 "path/filepath"
|
|
|
19 "strconv"
|
|
|
20 "strings"
|
|
|
21 "syscall"
|
|
|
22 "testing"
|
|
|
23 "unsafe"
|
|
|
24 )
|
|
|
25
|
|
131
|
26 func isDocker() bool {
|
|
|
27 _, err := os.Stat("/.dockerenv")
|
|
|
28 return err == nil
|
|
|
29 }
|
|
|
30
|
|
|
31 func isLXC() bool {
|
|
|
32 return os.Getenv("container") == "lxc"
|
|
|
33 }
|
|
|
34
|
|
|
35 func skipInContainer(t *testing.T) {
|
|
|
36 if isDocker() {
|
|
|
37 t.Skip("skip this test in Docker container")
|
|
|
38 }
|
|
|
39 if isLXC() {
|
|
|
40 t.Skip("skip this test in LXC container")
|
|
|
41 }
|
|
|
42 }
|
|
|
43
|
|
111
|
44 // Check if we are in a chroot by checking if the inode of / is
|
|
|
45 // different from 2 (there is no better test available to non-root on
|
|
|
46 // linux).
|
|
|
47 func isChrooted(t *testing.T) bool {
|
|
|
48 root, err := os.Stat("/")
|
|
|
49 if err != nil {
|
|
|
50 t.Fatalf("cannot stat /: %v", err)
|
|
|
51 }
|
|
|
52 return root.Sys().(*syscall.Stat_t).Ino != 2
|
|
|
53 }
|
|
|
54
|
|
|
55 func checkUserNS(t *testing.T) {
|
|
131
|
56 skipInContainer(t)
|
|
111
|
57 if _, err := os.Stat("/proc/self/ns/user"); err != nil {
|
|
|
58 if os.IsNotExist(err) {
|
|
|
59 t.Skip("kernel doesn't support user namespaces")
|
|
|
60 }
|
|
|
61 if os.IsPermission(err) {
|
|
|
62 t.Skip("unable to test user namespaces due to permissions")
|
|
|
63 }
|
|
|
64 t.Fatalf("Failed to stat /proc/self/ns/user: %v", err)
|
|
|
65 }
|
|
|
66 if isChrooted(t) {
|
|
|
67 // create_user_ns in the kernel (see
|
|
|
68 // https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/user_namespace.c)
|
|
|
69 // forbids the creation of user namespaces when chrooted.
|
|
|
70 t.Skip("cannot create user namespaces when chrooted")
|
|
|
71 }
|
|
|
72 // On some systems, there is a sysctl setting.
|
|
|
73 if os.Getuid() != 0 {
|
|
|
74 data, errRead := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")
|
|
|
75 if errRead == nil && data[0] == '0' {
|
|
|
76 t.Skip("kernel prohibits user namespace in unprivileged process")
|
|
|
77 }
|
|
|
78 }
|
|
|
79 // On Centos 7 make sure they set the kernel parameter user_namespace=1
|
|
|
80 // See issue 16283 and 20796.
|
|
|
81 if _, err := os.Stat("/sys/module/user_namespace/parameters/enable"); err == nil {
|
|
|
82 buf, _ := ioutil.ReadFile("/sys/module/user_namespace/parameters/enabled")
|
|
|
83 if !strings.HasPrefix(string(buf), "Y") {
|
|
|
84 t.Skip("kernel doesn't support user namespaces")
|
|
|
85 }
|
|
|
86 }
|
|
131
|
87
|
|
|
88 // On Centos 7.5+, user namespaces are disabled if user.max_user_namespaces = 0
|
|
|
89 if _, err := os.Stat("/proc/sys/user/max_user_namespaces"); err == nil {
|
|
|
90 buf, errRead := ioutil.ReadFile("/proc/sys/user/max_user_namespaces")
|
|
|
91 if errRead == nil && buf[0] == '0' {
|
|
|
92 t.Skip("kernel doesn't support user namespaces")
|
|
|
93 }
|
|
|
94 }
|
|
|
95
|
|
111
|
96 // When running under the Go continuous build, skip tests for
|
|
|
97 // now when under Kubernetes. (where things are root but not quite)
|
|
|
98 // Both of these are our own environment variables.
|
|
|
99 // See Issue 12815.
|
|
|
100 if os.Getenv("GO_BUILDER_NAME") != "" && os.Getenv("IN_KUBERNETES") == "1" {
|
|
|
101 t.Skip("skipping test on Kubernetes-based builders; see Issue 12815")
|
|
|
102 }
|
|
|
103 }
|
|
|
104
|
|
|
105 func whoamiCmd(t *testing.T, uid, gid int, setgroups bool) *exec.Cmd {
|
|
|
106 checkUserNS(t)
|
|
|
107 cmd := exec.Command("whoami")
|
|
|
108 cmd.SysProcAttr = &syscall.SysProcAttr{
|
|
|
109 Cloneflags: syscall.CLONE_NEWUSER,
|
|
|
110 UidMappings: []syscall.SysProcIDMap{
|
|
|
111 {ContainerID: 0, HostID: uid, Size: 1},
|
|
|
112 },
|
|
|
113 GidMappings: []syscall.SysProcIDMap{
|
|
|
114 {ContainerID: 0, HostID: gid, Size: 1},
|
|
|
115 },
|
|
|
116 GidMappingsEnableSetgroups: setgroups,
|
|
|
117 }
|
|
|
118 return cmd
|
|
|
119 }
|
|
|
120
|
|
|
121 func testNEWUSERRemap(t *testing.T, uid, gid int, setgroups bool) {
|
|
|
122 cmd := whoamiCmd(t, uid, gid, setgroups)
|
|
|
123 out, err := cmd.CombinedOutput()
|
|
|
124 if err != nil {
|
|
|
125 t.Fatalf("Cmd failed with err %v, output: %s", err, out)
|
|
|
126 }
|
|
|
127 sout := strings.TrimSpace(string(out))
|
|
|
128 want := "root"
|
|
|
129 if sout != want {
|
|
|
130 t.Fatalf("whoami = %q; want %q", out, want)
|
|
|
131 }
|
|
|
132 }
|
|
|
133
|
|
|
134 func TestCloneNEWUSERAndRemapRootDisableSetgroups(t *testing.T) {
|
|
|
135 if os.Getuid() != 0 {
|
|
|
136 t.Skip("skipping root only test")
|
|
|
137 }
|
|
|
138 testNEWUSERRemap(t, 0, 0, false)
|
|
|
139 }
|
|
|
140
|
|
|
141 func TestCloneNEWUSERAndRemapRootEnableSetgroups(t *testing.T) {
|
|
|
142 if os.Getuid() != 0 {
|
|
|
143 t.Skip("skipping root only test")
|
|
|
144 }
|
|
131
|
145 testNEWUSERRemap(t, 0, 0, true)
|
|
111
|
146 }
|
|
|
147
|
|
|
148 func TestCloneNEWUSERAndRemapNoRootDisableSetgroups(t *testing.T) {
|
|
|
149 if os.Getuid() == 0 {
|
|
|
150 t.Skip("skipping unprivileged user only test")
|
|
|
151 }
|
|
|
152 testNEWUSERRemap(t, os.Getuid(), os.Getgid(), false)
|
|
|
153 }
|
|
|
154
|
|
|
155 func TestCloneNEWUSERAndRemapNoRootSetgroupsEnableSetgroups(t *testing.T) {
|
|
|
156 if os.Getuid() == 0 {
|
|
|
157 t.Skip("skipping unprivileged user only test")
|
|
|
158 }
|
|
|
159 cmd := whoamiCmd(t, os.Getuid(), os.Getgid(), true)
|
|
|
160 err := cmd.Run()
|
|
|
161 if err == nil {
|
|
|
162 t.Skip("probably old kernel without security fix")
|
|
|
163 }
|
|
|
164 if !os.IsPermission(err) {
|
|
|
165 t.Fatalf("Unprivileged gid_map rewriting with GidMappingsEnableSetgroups must fail")
|
|
|
166 }
|
|
|
167 }
|
|
|
168
|
|
|
169 func TestEmptyCredGroupsDisableSetgroups(t *testing.T) {
|
|
|
170 cmd := whoamiCmd(t, os.Getuid(), os.Getgid(), false)
|
|
|
171 cmd.SysProcAttr.Credential = &syscall.Credential{}
|
|
|
172 if err := cmd.Run(); err != nil {
|
|
|
173 t.Fatal(err)
|
|
|
174 }
|
|
|
175 }
|
|
|
176
|
|
|
177 func TestUnshare(t *testing.T) {
|
|
131
|
178 skipInContainer(t)
|
|
111
|
179 // Make sure we are running as root so we have permissions to use unshare
|
|
|
180 // and create a network namespace.
|
|
|
181 if os.Getuid() != 0 {
|
|
|
182 t.Skip("kernel prohibits unshare in unprivileged process, unless using user namespace")
|
|
|
183 }
|
|
|
184
|
|
|
185 // When running under the Go continuous build, skip tests for
|
|
|
186 // now when under Kubernetes. (where things are root but not quite)
|
|
|
187 // Both of these are our own environment variables.
|
|
|
188 // See Issue 12815.
|
|
|
189 if os.Getenv("GO_BUILDER_NAME") != "" && os.Getenv("IN_KUBERNETES") == "1" {
|
|
|
190 t.Skip("skipping test on Kubernetes-based builders; see Issue 12815")
|
|
|
191 }
|
|
|
192
|
|
|
193 path := "/proc/net/dev"
|
|
|
194 if _, err := os.Stat(path); err != nil {
|
|
|
195 if os.IsNotExist(err) {
|
|
|
196 t.Skip("kernel doesn't support proc filesystem")
|
|
|
197 }
|
|
|
198 if os.IsPermission(err) {
|
|
|
199 t.Skip("unable to test proc filesystem due to permissions")
|
|
|
200 }
|
|
|
201 t.Fatal(err)
|
|
|
202 }
|
|
|
203 if _, err := os.Stat("/proc/self/ns/net"); err != nil {
|
|
|
204 if os.IsNotExist(err) {
|
|
|
205 t.Skip("kernel doesn't support net namespace")
|
|
|
206 }
|
|
|
207 t.Fatal(err)
|
|
|
208 }
|
|
|
209
|
|
|
210 orig, err := ioutil.ReadFile(path)
|
|
|
211 if err != nil {
|
|
|
212 t.Fatal(err)
|
|
|
213 }
|
|
|
214 origLines := strings.Split(strings.TrimSpace(string(orig)), "\n")
|
|
|
215
|
|
|
216 cmd := exec.Command("cat", path)
|
|
|
217 cmd.SysProcAttr = &syscall.SysProcAttr{
|
|
|
218 Unshareflags: syscall.CLONE_NEWNET,
|
|
|
219 }
|
|
|
220 out, err := cmd.CombinedOutput()
|
|
|
221 if err != nil {
|
|
|
222 if strings.Contains(err.Error(), "operation not permitted") {
|
|
|
223 // Issue 17206: despite all the checks above,
|
|
|
224 // this still reportedly fails for some users.
|
|
|
225 // (older kernels?). Just skip.
|
|
|
226 t.Skip("skipping due to permission error")
|
|
|
227 }
|
|
|
228 t.Fatalf("Cmd failed with err %v, output: %s", err, out)
|
|
|
229 }
|
|
|
230
|
|
|
231 // Check there is only the local network interface
|
|
|
232 sout := strings.TrimSpace(string(out))
|
|
|
233 if !strings.Contains(sout, "lo:") {
|
|
|
234 t.Fatalf("Expected lo network interface to exist, got %s", sout)
|
|
|
235 }
|
|
|
236
|
|
|
237 lines := strings.Split(sout, "\n")
|
|
|
238 if len(lines) >= len(origLines) {
|
|
|
239 t.Fatalf("Got %d lines of output, want <%d", len(lines), len(origLines))
|
|
|
240 }
|
|
|
241 }
|
|
|
242
|
|
|
243 func TestGroupCleanup(t *testing.T) {
|
|
|
244 if os.Getuid() != 0 {
|
|
|
245 t.Skip("we need root for credential")
|
|
|
246 }
|
|
|
247 cmd := exec.Command("id")
|
|
|
248 cmd.SysProcAttr = &syscall.SysProcAttr{
|
|
|
249 Credential: &syscall.Credential{
|
|
|
250 Uid: 0,
|
|
|
251 Gid: 0,
|
|
|
252 },
|
|
|
253 }
|
|
|
254 out, err := cmd.CombinedOutput()
|
|
|
255 if err != nil {
|
|
|
256 t.Fatalf("Cmd failed with err %v, output: %s", err, out)
|
|
|
257 }
|
|
|
258 strOut := strings.TrimSpace(string(out))
|
|
|
259 expected := "uid=0(root) gid=0(root)"
|
|
|
260 // Just check prefix because some distros reportedly output a
|
|
|
261 // context parameter; see https://golang.org/issue/16224.
|
|
|
262 // Alpine does not output groups; see https://golang.org/issue/19938.
|
|
|
263 if !strings.HasPrefix(strOut, expected) {
|
|
|
264 t.Errorf("id command output: %q, expected prefix: %q", strOut, expected)
|
|
|
265 }
|
|
|
266 }
|
|
|
267
|
|
|
268 func TestGroupCleanupUserNamespace(t *testing.T) {
|
|
|
269 if os.Getuid() != 0 {
|
|
|
270 t.Skip("we need root for credential")
|
|
|
271 }
|
|
|
272 checkUserNS(t)
|
|
|
273 cmd := exec.Command("id")
|
|
|
274 uid, gid := os.Getuid(), os.Getgid()
|
|
|
275 cmd.SysProcAttr = &syscall.SysProcAttr{
|
|
|
276 Cloneflags: syscall.CLONE_NEWUSER,
|
|
|
277 Credential: &syscall.Credential{
|
|
|
278 Uid: uint32(uid),
|
|
|
279 Gid: uint32(gid),
|
|
|
280 },
|
|
|
281 UidMappings: []syscall.SysProcIDMap{
|
|
|
282 {ContainerID: 0, HostID: uid, Size: 1},
|
|
|
283 },
|
|
|
284 GidMappings: []syscall.SysProcIDMap{
|
|
|
285 {ContainerID: 0, HostID: gid, Size: 1},
|
|
|
286 },
|
|
|
287 }
|
|
|
288 out, err := cmd.CombinedOutput()
|
|
|
289 if err != nil {
|
|
|
290 t.Fatalf("Cmd failed with err %v, output: %s", err, out)
|
|
|
291 }
|
|
|
292 strOut := strings.TrimSpace(string(out))
|
|
|
293
|
|
|
294 // Strings we've seen in the wild.
|
|
|
295 expected := []string{
|
|
|
296 "uid=0(root) gid=0(root) groups=0(root)",
|
|
|
297 "uid=0(root) gid=0(root) groups=0(root),65534(nobody)",
|
|
|
298 "uid=0(root) gid=0(root) groups=0(root),65534(nogroup)",
|
|
|
299 "uid=0(root) gid=0(root) groups=0(root),65534",
|
|
|
300 "uid=0(root) gid=0(root) groups=0(root),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody)", // Alpine; see https://golang.org/issue/19938
|
|
|
301 }
|
|
|
302 for _, e := range expected {
|
|
|
303 if strOut == e {
|
|
|
304 return
|
|
|
305 }
|
|
|
306 }
|
|
|
307 t.Errorf("id command output: %q, expected one of %q", strOut, expected)
|
|
|
308 }
|
|
|
309
|
|
|
310 // TestUnshareHelperProcess isn't a real test. It's used as a helper process
|
|
|
311 // for TestUnshareMountNameSpace.
|
|
|
312 func TestUnshareMountNameSpaceHelper(*testing.T) {
|
|
|
313 if os.Getenv("GO_WANT_HELPER_PROCESS") != "1" {
|
|
|
314 return
|
|
|
315 }
|
|
|
316 defer os.Exit(0)
|
|
|
317 if err := syscall.Mount("none", flag.Args()[0], "proc", 0, ""); err != nil {
|
|
|
318 fmt.Fprintf(os.Stderr, "unshare: mount %v failed: %v", os.Args, err)
|
|
|
319 os.Exit(2)
|
|
|
320 }
|
|
|
321 }
|
|
|
322
|
|
|
323 // Test for Issue 38471: unshare fails because systemd has forced / to be shared
|
|
|
324 func TestUnshareMountNameSpace(t *testing.T) {
|
|
131
|
325 skipInContainer(t)
|
|
111
|
326 // Make sure we are running as root so we have permissions to use unshare
|
|
|
327 // and create a network namespace.
|
|
|
328 if os.Getuid() != 0 {
|
|
|
329 t.Skip("kernel prohibits unshare in unprivileged process, unless using user namespace")
|
|
|
330 }
|
|
|
331
|
|
|
332 // When running under the Go continuous build, skip tests for
|
|
|
333 // now when under Kubernetes. (where things are root but not quite)
|
|
|
334 // Both of these are our own environment variables.
|
|
|
335 // See Issue 12815.
|
|
|
336 if os.Getenv("GO_BUILDER_NAME") != "" && os.Getenv("IN_KUBERNETES") == "1" {
|
|
|
337 t.Skip("skipping test on Kubernetes-based builders; see Issue 12815")
|
|
|
338 }
|
|
|
339
|
|
|
340 d, err := ioutil.TempDir("", "unshare")
|
|
|
341 if err != nil {
|
|
|
342 t.Fatalf("tempdir: %v", err)
|
|
|
343 }
|
|
|
344
|
|
|
345 cmd := exec.Command(os.Args[0], "-test.run=TestUnshareMountNameSpaceHelper", d)
|
|
|
346 cmd.Env = []string{"GO_WANT_HELPER_PROCESS=1"}
|
|
|
347 cmd.SysProcAttr = &syscall.SysProcAttr{Unshareflags: syscall.CLONE_NEWNS}
|
|
|
348
|
|
|
349 o, err := cmd.CombinedOutput()
|
|
|
350 if err != nil {
|
|
|
351 if strings.Contains(err.Error(), ": permission denied") {
|
|
|
352 t.Skipf("Skipping test (golang.org/issue/19698); unshare failed due to permissions: %s, %v", o, err)
|
|
|
353 }
|
|
|
354 t.Fatalf("unshare failed: %s, %v", o, err)
|
|
|
355 }
|
|
|
356
|
|
|
357 // How do we tell if the namespace was really unshared? It turns out
|
|
|
358 // to be simple: just try to remove the directory. If it's still mounted
|
|
|
359 // on the rm will fail with EBUSY. Then we have some cleanup to do:
|
|
|
360 // we must unmount it, then try to remove it again.
|
|
|
361
|
|
|
362 if err := os.Remove(d); err != nil {
|
|
|
363 t.Errorf("rmdir failed on %v: %v", d, err)
|
|
|
364 if err := syscall.Unmount(d, syscall.MNT_FORCE); err != nil {
|
|
|
365 t.Errorf("Can't unmount %v: %v", d, err)
|
|
|
366 }
|
|
|
367 if err := os.Remove(d); err != nil {
|
|
|
368 t.Errorf("rmdir after unmount failed on %v: %v", d, err)
|
|
|
369 }
|
|
|
370 }
|
|
|
371 }
|
|
|
372
|
|
|
373 // Test for Issue 20103: unshare fails when chroot is used
|
|
|
374 func TestUnshareMountNameSpaceChroot(t *testing.T) {
|
|
131
|
375 skipInContainer(t)
|
|
111
|
376 // Make sure we are running as root so we have permissions to use unshare
|
|
|
377 // and create a network namespace.
|
|
|
378 if os.Getuid() != 0 {
|
|
|
379 t.Skip("kernel prohibits unshare in unprivileged process, unless using user namespace")
|
|
|
380 }
|
|
|
381
|
|
|
382 // When running under the Go continuous build, skip tests for
|
|
|
383 // now when under Kubernetes. (where things are root but not quite)
|
|
|
384 // Both of these are our own environment variables.
|
|
|
385 // See Issue 12815.
|
|
|
386 if os.Getenv("GO_BUILDER_NAME") != "" && os.Getenv("IN_KUBERNETES") == "1" {
|
|
|
387 t.Skip("skipping test on Kubernetes-based builders; see Issue 12815")
|
|
|
388 }
|
|
|
389
|
|
|
390 d, err := ioutil.TempDir("", "unshare")
|
|
|
391 if err != nil {
|
|
|
392 t.Fatalf("tempdir: %v", err)
|
|
|
393 }
|
|
|
394
|
|
|
395 // Since we are doing a chroot, we need the binary there,
|
|
|
396 // and it must be statically linked.
|
|
|
397 x := filepath.Join(d, "syscall.test")
|
|
|
398 cmd := exec.Command(testenv.GoToolPath(t), "test", "-c", "-o", x, "syscall")
|
|
|
399 cmd.Env = append(os.Environ(), "CGO_ENABLED=0")
|
|
|
400 if o, err := cmd.CombinedOutput(); err != nil {
|
|
|
401 t.Fatalf("Build of syscall in chroot failed, output %v, err %v", o, err)
|
|
|
402 }
|
|
|
403
|
|
|
404 cmd = exec.Command("/syscall.test", "-test.run=TestUnshareMountNameSpaceHelper", "/")
|
|
|
405 cmd.Env = []string{"GO_WANT_HELPER_PROCESS=1"}
|
|
|
406 cmd.SysProcAttr = &syscall.SysProcAttr{Chroot: d, Unshareflags: syscall.CLONE_NEWNS}
|
|
|
407
|
|
|
408 o, err := cmd.CombinedOutput()
|
|
|
409 if err != nil {
|
|
|
410 if strings.Contains(err.Error(), ": permission denied") {
|
|
|
411 t.Skipf("Skipping test (golang.org/issue/19698); unshare failed due to permissions: %s, %v", o, err)
|
|
|
412 }
|
|
|
413 t.Fatalf("unshare failed: %s, %v", o, err)
|
|
|
414 }
|
|
|
415
|
|
|
416 // How do we tell if the namespace was really unshared? It turns out
|
|
|
417 // to be simple: just try to remove the executable. If it's still mounted
|
|
|
418 // on, the rm will fail. Then we have some cleanup to do:
|
|
|
419 // we must force unmount it, then try to remove it again.
|
|
|
420
|
|
|
421 if err := os.Remove(x); err != nil {
|
|
|
422 t.Errorf("rm failed on %v: %v", x, err)
|
|
|
423 if err := syscall.Unmount(d, syscall.MNT_FORCE); err != nil {
|
|
|
424 t.Fatalf("Can't unmount %v: %v", d, err)
|
|
|
425 }
|
|
|
426 if err := os.Remove(x); err != nil {
|
|
|
427 t.Fatalf("rm failed on %v: %v", x, err)
|
|
|
428 }
|
|
|
429 }
|
|
|
430
|
|
|
431 if err := os.Remove(d); err != nil {
|
|
|
432 t.Errorf("rmdir failed on %v: %v", d, err)
|
|
|
433 }
|
|
|
434 }
|
|
|
435
|
|
|
436 type capHeader struct {
|
|
|
437 version uint32
|
|
|
438 pid int
|
|
|
439 }
|
|
|
440
|
|
|
441 type capData struct {
|
|
|
442 effective uint32
|
|
|
443 permitted uint32
|
|
|
444 inheritable uint32
|
|
|
445 }
|
|
|
446
|
|
|
447 const CAP_SYS_TIME = 25
|
|
|
448
|
|
|
449 type caps struct {
|
|
|
450 hdr capHeader
|
|
|
451 data [2]capData
|
|
|
452 }
|
|
|
453
|
|
|
454 func getCaps() (caps, error) {
|
|
|
455 var c caps
|
|
|
456
|
|
|
457 // Get capability version
|
|
|
458 if _, _, errno := syscall.Syscall(syscall.SYS_CAPGET, uintptr(unsafe.Pointer(&c.hdr)), uintptr(unsafe.Pointer(nil)), 0); errno != 0 {
|
|
|
459 return c, fmt.Errorf("SYS_CAPGET: %v", errno)
|
|
|
460 }
|
|
|
461
|
|
|
462 // Get current capabilities
|
|
|
463 if _, _, errno := syscall.Syscall(syscall.SYS_CAPGET, uintptr(unsafe.Pointer(&c.hdr)), uintptr(unsafe.Pointer(&c.data[0])), 0); errno != 0 {
|
|
|
464 return c, fmt.Errorf("SYS_CAPGET: %v", errno)
|
|
|
465 }
|
|
|
466
|
|
|
467 return c, nil
|
|
|
468 }
|
|
|
469
|
|
|
470 func mustSupportAmbientCaps(t *testing.T) {
|
|
|
471 var uname syscall.Utsname
|
|
|
472 if err := syscall.Uname(&uname); err != nil {
|
|
|
473 t.Fatalf("Uname: %v", err)
|
|
|
474 }
|
|
|
475 var buf [65]byte
|
|
|
476 for i, b := range uname.Release {
|
|
|
477 buf[i] = byte(b)
|
|
|
478 }
|
|
|
479 ver := string(buf[:])
|
|
|
480 if i := strings.Index(ver, "\x00"); i != -1 {
|
|
|
481 ver = ver[:i]
|
|
|
482 }
|
|
|
483 if strings.HasPrefix(ver, "2.") ||
|
|
|
484 strings.HasPrefix(ver, "3.") ||
|
|
|
485 strings.HasPrefix(ver, "4.1.") ||
|
|
|
486 strings.HasPrefix(ver, "4.2.") {
|
|
|
487 t.Skipf("kernel version %q predates required 4.3; skipping test", ver)
|
|
|
488 }
|
|
|
489 }
|
|
|
490
|
|
|
491 // TestAmbientCapsHelper isn't a real test. It's used as a helper process for
|
|
|
492 // TestAmbientCaps.
|
|
|
493 func TestAmbientCapsHelper(*testing.T) {
|
|
|
494 if os.Getenv("GO_WANT_HELPER_PROCESS") != "1" {
|
|
|
495 return
|
|
|
496 }
|
|
|
497 defer os.Exit(0)
|
|
|
498
|
|
|
499 caps, err := getCaps()
|
|
|
500 if err != nil {
|
|
|
501 fmt.Fprintln(os.Stderr, err)
|
|
|
502 os.Exit(2)
|
|
|
503 }
|
|
|
504 if caps.data[0].effective&(1<<uint(CAP_SYS_TIME)) == 0 {
|
|
|
505 fmt.Fprintln(os.Stderr, "CAP_SYS_TIME unexpectedly not in the effective capability mask")
|
|
|
506 os.Exit(2)
|
|
|
507 }
|
|
|
508 }
|
|
|
509
|
|
|
510 func TestAmbientCaps(t *testing.T) {
|
|
131
|
511 skipInContainer(t)
|
|
111
|
512 // Make sure we are running as root so we have permissions to use unshare
|
|
|
513 // and create a network namespace.
|
|
|
514 if os.Getuid() != 0 {
|
|
|
515 t.Skip("kernel prohibits unshare in unprivileged process, unless using user namespace")
|
|
|
516 }
|
|
|
517 mustSupportAmbientCaps(t)
|
|
|
518
|
|
|
519 // When running under the Go continuous build, skip tests for
|
|
|
520 // now when under Kubernetes. (where things are root but not quite)
|
|
|
521 // Both of these are our own environment variables.
|
|
|
522 // See Issue 12815.
|
|
|
523 if os.Getenv("GO_BUILDER_NAME") != "" && os.Getenv("IN_KUBERNETES") == "1" {
|
|
|
524 t.Skip("skipping test on Kubernetes-based builders; see Issue 12815")
|
|
|
525 }
|
|
|
526
|
|
|
527 caps, err := getCaps()
|
|
|
528 if err != nil {
|
|
|
529 t.Fatal(err)
|
|
|
530 }
|
|
|
531
|
|
|
532 // Add CAP_SYS_TIME to the permitted and inheritable capability mask,
|
|
|
533 // otherwise we will not be able to add it to the ambient capability mask.
|
|
|
534 caps.data[0].permitted |= 1 << uint(CAP_SYS_TIME)
|
|
|
535 caps.data[0].inheritable |= 1 << uint(CAP_SYS_TIME)
|
|
|
536
|
|
|
537 if _, _, errno := syscall.Syscall(syscall.SYS_CAPSET, uintptr(unsafe.Pointer(&caps.hdr)), uintptr(unsafe.Pointer(&caps.data[0])), 0); errno != 0 {
|
|
|
538 t.Fatalf("SYS_CAPSET: %v", errno)
|
|
|
539 }
|
|
|
540
|
|
|
541 u, err := user.Lookup("nobody")
|
|
|
542 if err != nil {
|
|
|
543 t.Fatal(err)
|
|
|
544 }
|
|
|
545 uid, err := strconv.ParseInt(u.Uid, 0, 32)
|
|
|
546 if err != nil {
|
|
|
547 t.Fatal(err)
|
|
|
548 }
|
|
|
549 gid, err := strconv.ParseInt(u.Gid, 0, 32)
|
|
|
550 if err != nil {
|
|
|
551 t.Fatal(err)
|
|
|
552 }
|
|
|
553
|
|
|
554 // Copy the test binary to a temporary location which is readable by nobody.
|
|
|
555 f, err := ioutil.TempFile("", "gotest")
|
|
|
556 if err != nil {
|
|
|
557 t.Fatal(err)
|
|
|
558 }
|
|
|
559 defer os.Remove(f.Name())
|
|
|
560 defer f.Close()
|
|
|
561 e, err := os.Open(os.Args[0])
|
|
|
562 if err != nil {
|
|
|
563 t.Fatal(err)
|
|
|
564 }
|
|
|
565 defer e.Close()
|
|
|
566 if _, err := io.Copy(f, e); err != nil {
|
|
|
567 t.Fatal(err)
|
|
|
568 }
|
|
|
569 if err := f.Chmod(0755); err != nil {
|
|
|
570 t.Fatal(err)
|
|
|
571 }
|
|
|
572 if err := f.Close(); err != nil {
|
|
|
573 t.Fatal(err)
|
|
|
574 }
|
|
|
575
|
|
|
576 cmd := exec.Command(f.Name(), "-test.run=TestAmbientCapsHelper")
|
|
|
577 cmd.Env = []string{"GO_WANT_HELPER_PROCESS=1"}
|
|
|
578 cmd.Stdout = os.Stdout
|
|
|
579 cmd.Stderr = os.Stderr
|
|
|
580 cmd.SysProcAttr = &syscall.SysProcAttr{
|
|
|
581 Credential: &syscall.Credential{
|
|
|
582 Uid: uint32(uid),
|
|
|
583 Gid: uint32(gid),
|
|
|
584 },
|
|
|
585 AmbientCaps: []uintptr{CAP_SYS_TIME},
|
|
|
586 }
|
|
|
587 if err := cmd.Run(); err != nil {
|
|
|
588 t.Fatal(err.Error())
|
|
|
589 }
|
|
|
590 }
|
