Permalink
Browse files

syscall: add GidMappingsEnableSetgroups to Linux SysProcAttr

Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to
address a security issue.
The upshot of the 3.19 changes is that in order to update the 'gid_maps' file,
use of the setgroups() system call in this user namespace must first be disabled
by writing "deny" to one of the /proc/PID/setgroups files for this namespace.

Also added tests for remapping uid_map and gid_map inside new user
namespace.

Fixes #10626

Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7
Reviewed-on: https://go-review.googlesource.com/10670
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
  • Loading branch information...
LK4D4 authored and ianlancetaylor committed Jun 3, 2015
1 parent 368f0ee commit f5c60ff2da4851f9056120a423ce6b48624fb97e
Showing with 119 additions and 0 deletions.
  1. +35 −0 src/syscall/exec_linux.go
  2. +84 −0 src/syscall/exec_linux_test.go
View
@@ -33,6 +33,11 @@ type SysProcAttr struct {
Cloneflags uintptr // Flags for clone calls (Linux only)
UidMappings []SysProcIDMap // User ID mappings for user namespaces.
GidMappings []SysProcIDMap // Group ID mappings for user namespaces.
// GidMappingsEnableSetgroups enabling setgroups syscall.
// If false, then setgroups syscall will be disabled for the child process.
// This parameter is no-op if GidMappings == nil. Otherwise for unprivileged
// users this should be set to false for mappings work.
GidMappingsEnableSetgroups bool
}
// Implemented in runtime package.
@@ -366,6 +371,32 @@ func writeIDMappings(path string, idMap []SysProcIDMap) error {
return nil
}
// writeSetgroups writes to /proc/PID/setgroups "deny" if enable is false
// and "allow" if enable is true.
// This is needed since kernel 3.19, because you can't write gid_map without
// disabling setgroups() system call.
func writeSetgroups(pid int, enable bool) error {
sgf := "/proc/" + itoa(pid) + "/setgroups"
fd, err := Open(sgf, O_RDWR, 0)
if err != nil {
return err
}
var data []byte
if enable {
data = []byte("allow")
} else {
data = []byte("deny")
}
if _, err := Write(fd, data); err != nil {
Close(fd)
return err
}
return Close(fd)
}
// writeUidGidMappings writes User ID and Group ID mappings for user namespaces
// for a process and it is called from the parent process.
func writeUidGidMappings(pid int, sys *SysProcAttr) error {
@@ -377,6 +408,10 @@ func writeUidGidMappings(pid int, sys *SysProcAttr) error {
}
if sys.GidMappings != nil {
// If the kernel is too old to support /proc/PID/setgroups, writeSetGroups will return ENOENT; this is OK.
if err := writeSetgroups(pid, sys.GidMappingsEnableSetgroups); err != nil && err != ENOENT {
return err
}
gidf := "/proc/" + itoa(pid) + "/gid_map"
if err := writeIDMappings(gidf, sys.GidMappings); err != nil {
return err
@@ -0,0 +1,84 @@
// Copyright 2015 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// +build linux
package syscall_test
import (
"os"
"os/exec"
"strings"
"syscall"
"testing"
)
func whoamiCmd(t *testing.T, uid int, setgroups bool) *exec.Cmd {
if _, err := os.Stat("/proc/self/ns/user"); err != nil {
if os.IsNotExist(err) {
t.Skip("kernel doesn't support user namespaces")
}
t.Fatalf("Failed to stat /proc/self/ns/user: %v", err)
}
cmd := exec.Command("whoami")
cmd.SysProcAttr = &syscall.SysProcAttr{
Cloneflags: syscall.CLONE_NEWUSER,
UidMappings: []syscall.SysProcIDMap{
{ContainerID: 0, HostID: uid, Size: 1},
},
GidMappings: []syscall.SysProcIDMap{
{ContainerID: 0, HostID: uid, Size: 1},
},
GidMappingsEnableSetgroups: setgroups,
}
return cmd
}
func testNEWUSERRemap(t *testing.T, uid int, setgroups bool) {
cmd := whoamiCmd(t, uid, setgroups)
out, err := cmd.CombinedOutput()
if err != nil {
t.Fatalf("Cmd failed with err %v, output: %s", err, out)
}
sout := strings.TrimSpace(string(out))
want := "root"
if sout != want {
t.Fatalf("whoami = %q; want %q", out, want)
}
}
func TestCloneNEWUSERAndRemapRootDisableSetgroups(t *testing.T) {
if os.Getuid() != 0 {
t.Skip("skipping root only test")
}
testNEWUSERRemap(t, 0, false)
}
func TestCloneNEWUSERAndRemapRootEnableSetgroups(t *testing.T) {
if os.Getuid() != 0 {
t.Skip("skipping root only test")
}
testNEWUSERRemap(t, 0, false)
}
func TestCloneNEWUSERAndRemapNoRootDisableSetgroups(t *testing.T) {
if os.Getuid() == 0 {
t.Skip("skipping unprivileged user only test")
}
testNEWUSERRemap(t, os.Getuid(), false)
}
func TestCloneNEWUSERAndRemapNoRootSetgroupsEnableSetgroups(t *testing.T) {
if os.Getuid() == 0 {
t.Skip("skipping unprivileged user only test")
}
cmd := whoamiCmd(t, os.Getuid(), true)
err := cmd.Run()
if err == nil {
t.Skip("probably old kernel without security fix")
}
if !strings.Contains(err.Error(), "operation not permitted") {
t.Fatalf("Unprivileged gid_map rewriting with GidMappingsEnableSetgroups must fail")
}
}

0 comments on commit f5c60ff

Please sign in to comment.