syscall: add Unshare flags to SysProcAttr on Linux

This patch adds Unshare flags to SysProcAttr for Linux systems.

Fixes #1954

Change-Id: Id819c3f92b1474e5a06dd8d55f89d74a43eb770c
Reviewed-on: https://go-review.googlesource.com/23233
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>

1 files changed, 36 insertions, 0 deletions

diff --git a/src/syscall/exec_linux_test.go b/src/syscall/exec_linux_test.go
index eb32cfd4b1..ec5be107e0 100644
--- a/src/syscall/exec_linux_test.go
+++ b/src/syscall/exec_linux_test.go
@@ -125,3 +125,39 @@ func TestEmptyCredGroupsDisableSetgroups(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+func TestUnshare(t *testing.T) {
+	// Make sure we are running as root so we have permissions to use unshare
+	// and create a network namespace.
+	if os.Getuid() != 0 {
+		t.Skip("kernel prohibits unshare in unprivileged process, unless using user namespace")
+	}
+
+	// When running under the Go continuous build, skip tests for
+	// now when under Kubernetes. (where things are root but not quite)
+	// Both of these are our own environment variables.
+	// See Issue 12815.
+	if os.Getenv("GO_BUILDER_NAME") != "" && os.Getenv("IN_KUBERNETES") == "1" {
+		t.Skip("skipping test on Kubernetes-based builders; see Issue 12815")
+	}
+
+	cmd := exec.Command("ip", "a")
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		Unshare: syscall.CLONE_NEWNET,
+	}
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatalf("Cmd failed with err %v, output: %s", err, out)
+	}
+
+	// Check there is only the local network interface
+	sout := strings.TrimSpace(string(out))
+	if !strings.Contains(sout, "lo") {
+		t.Fatalf("Expected lo network interface to exist, got %s", sout)
+	}
+
+	lines := strings.Split(sout, "\n")
+	if len(lines) != 2 {
+		t.Fatalf("Expected 2 lines of output, got %d", len(lines))
+	}
+}