Stowage/go
2
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-12-08 06:10:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

syscall: add Unshare flags to SysProcAttr on Linux

Browse source 
This patch adds Unshare flags to SysProcAttr for Linux systems.

Fixes #1954

Change-Id: Id819c3f92b1474e5a06dd8d55f89d74a43eb770c
Reviewed-on: https://go-review.googlesource.com/23233
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
This commit is contained in:
Jess Frazelle 2016-05-18 18:47:24 -07:00 committed by Ian Lance Taylor
parent 448246adff
commit 8527b8ef9b
2 changed files with 45 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/syscall/exec_linux.go
View file

@ -32,6 +32,7 @@ type SysProcAttr struct {
Pgid int // Child's process group ID if Setpgid. Pgid int // Child's process group ID if Setpgid.
Pdeathsig Signal // Signal that the process will get when its parent dies (Linux only) Pdeathsig Signal // Signal that the process will get when its parent dies (Linux only)
Cloneflags uintptr // Flags for clone calls (Linux only) Cloneflags uintptr // Flags for clone calls (Linux only)
Unshare uintptr // Flags for unshare calls (Linux only)
UidMappings []SysProcIDMap // User ID mappings for user namespaces. UidMappings []SysProcIDMap // User ID mappings for user namespaces.
GidMappings []SysProcIDMap // Group ID mappings for user namespaces. GidMappings []SysProcIDMap // Group ID mappings for user namespaces.
// GidMappingsEnableSetgroups enabling setgroups syscall. // GidMappingsEnableSetgroups enabling setgroups syscall.
@ -194,6 +195,14 @@ func forkAndExecInChild(argv0 *byte, argv, envv []*byte, chroot, dir *byte, attr
} }
} }
// Unshare
if sys.Unshare != 0 {
_, _, err1 = RawSyscall(SYS_UNSHARE, sys.Unshare, 0, 0)
if err1 != 0 {
goto childerror
}
}
// User and groups // User and groups
if cred := sys.Credential; cred != nil { if cred := sys.Credential; cred != nil {
ngroups := uintptr(len(cred.Groups)) ngroups := uintptr(len(cred.Groups))

36
src/syscall/exec_linux_test.go
View file

@ -125,3 +125,39 @@ func TestEmptyCredGroupsDisableSetgroups(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
} }
func TestUnshare(t *testing.T) {
// Make sure we are running as root so we have permissions to use unshare
// and create a network namespace.
if os.Getuid() != 0 {
t.Skip("kernel prohibits unshare in unprivileged process, unless using user namespace")
}
// When running under the Go continuous build, skip tests for
// now when under Kubernetes. (where things are root but not quite)
// Both of these are our own environment variables.
// See Issue 12815.
if os.Getenv("GO_BUILDER_NAME") != "" && os.Getenv("IN_KUBERNETES") == "1" {
t.Skip("skipping test on Kubernetes-based builders; see Issue 12815")
}
cmd := exec.Command("ip", "a")
cmd.SysProcAttr = &syscall.SysProcAttr{
Unshare: syscall.CLONE_NEWNET,
}
out, err := cmd.CombinedOutput()
if err != nil {
t.Fatalf("Cmd failed with err %v, output: %s", err, out)
}
// Check there is only the local network interface
sout := strings.TrimSpace(string(out))
if !strings.Contains(sout, "lo") {
t.Fatalf("Expected lo network interface to exist, got %s", sout)
}
lines := strings.Split(sout, "\n")
if len(lines) != 2 {
t.Fatalf("Expected 2 lines of output, got %d", len(lines))
}
}