diff options
author | Michael Stapelberg <stapelberg@google.com> | 2019-01-17 16:53:41 +0100 |
---|---|---|
committer | Ian Lance Taylor <iant@golang.org> | 2019-03-12 00:40:34 +0000 |
commit | 2bd28cee2356c34427a94f4323bd534641f7070b (patch) | |
tree | 8a830a0f4a85f88e7b62c71d956dee7905c5ccfc /src/syscall/exec_linux_test.go | |
parent | 30cc8a46c47252e15300d3cf9d27cba9e71e649b (diff) | |
download | go-2bd28cee2356c34427a94f4323bd534641f7070b.tar.gz go-2bd28cee2356c34427a94f4323bd534641f7070b.zip |
syscall: correctly set up uid/gid mappings in user namespaces
Before this CL, uid/gid mapping was always set up from the parent
process, which is a privileged operation.
When using unprivileged user namespaces, a process can modify its
uid/gid mapping after the unshare(2) call (but setting the uid/gid
mapping from another process is NOT possible).
Fixes #29789
Change-Id: I8c96a03f5da23fe80bbb83ef051ad89cf185d750
Reviewed-on: https://go-review.googlesource.com/c/go/+/158298
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Diffstat (limited to 'src/syscall/exec_linux_test.go')
-rw-r--r-- | src/syscall/exec_linux_test.go | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/src/syscall/exec_linux_test.go b/src/syscall/exec_linux_test.go index 826487b676..09ced3b0e0 100644 --- a/src/syscall/exec_linux_test.go +++ b/src/syscall/exec_linux_test.go @@ -434,6 +434,49 @@ func TestUnshareMountNameSpaceChroot(t *testing.T) { } } +func TestUnshareUidGidMappingHelper(*testing.T) { + if os.Getenv("GO_WANT_HELPER_PROCESS") != "1" { + return + } + defer os.Exit(0) + if err := syscall.Chroot(os.TempDir()); err != nil { + fmt.Fprintln(os.Stderr, err) + os.Exit(2) + } +} + +// Test for Issue 29789: unshare fails when uid/gid mapping is specified +func TestUnshareUidGidMapping(t *testing.T) { + if os.Getuid() == 0 { + t.Skip("test exercises unprivileged user namespace, fails with privileges") + } + checkUserNS(t) + cmd := exec.Command(os.Args[0], "-test.run=TestUnshareUidGidMappingHelper") + cmd.Env = append(os.Environ(), "GO_WANT_HELPER_PROCESS=1") + cmd.SysProcAttr = &syscall.SysProcAttr{ + Unshareflags: syscall.CLONE_NEWNS | syscall.CLONE_NEWUSER, + GidMappingsEnableSetgroups: false, + UidMappings: []syscall.SysProcIDMap{ + { + ContainerID: 0, + HostID: syscall.Getuid(), + Size: 1, + }, + }, + GidMappings: []syscall.SysProcIDMap{ + { + ContainerID: 0, + HostID: syscall.Getgid(), + Size: 1, + }, + }, + } + out, err := cmd.CombinedOutput() + if err != nil { + t.Fatalf("Cmd failed with err %v, output: %s", err, out) + } +} + type capHeader struct { version uint32 pid int32 |