-
Notifications
You must be signed in to change notification settings - Fork 17.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
syscall: add GidMappingsEnableSetgroups to Linux SysProcAttr
Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to address a security issue. The upshot of the 3.19 changes is that in order to update the 'gid_maps' file, use of the setgroups() system call in this user namespace must first be disabled by writing "deny" to one of the /proc/PID/setgroups files for this namespace. Also added tests for remapping uid_map and gid_map inside new user namespace. Fixes #10626 Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7 Reviewed-on: https://go-review.googlesource.com/10670 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
- Loading branch information
1 parent
368f0ee
commit f5c60ff
Showing
2 changed files
with
119 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
// Copyright 2015 The Go Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style | ||
// license that can be found in the LICENSE file. | ||
|
||
// +build linux | ||
|
||
package syscall_test | ||
|
||
import ( | ||
"os" | ||
"os/exec" | ||
"strings" | ||
"syscall" | ||
"testing" | ||
) | ||
|
||
func whoamiCmd(t *testing.T, uid int, setgroups bool) *exec.Cmd { | ||
if _, err := os.Stat("/proc/self/ns/user"); err != nil { | ||
if os.IsNotExist(err) { | ||
t.Skip("kernel doesn't support user namespaces") | ||
} | ||
t.Fatalf("Failed to stat /proc/self/ns/user: %v", err) | ||
} | ||
cmd := exec.Command("whoami") | ||
cmd.SysProcAttr = &syscall.SysProcAttr{ | ||
Cloneflags: syscall.CLONE_NEWUSER, | ||
UidMappings: []syscall.SysProcIDMap{ | ||
{ContainerID: 0, HostID: uid, Size: 1}, | ||
}, | ||
GidMappings: []syscall.SysProcIDMap{ | ||
{ContainerID: 0, HostID: uid, Size: 1}, | ||
}, | ||
GidMappingsEnableSetgroups: setgroups, | ||
} | ||
return cmd | ||
} | ||
|
||
func testNEWUSERRemap(t *testing.T, uid int, setgroups bool) { | ||
cmd := whoamiCmd(t, uid, setgroups) | ||
out, err := cmd.CombinedOutput() | ||
if err != nil { | ||
t.Fatalf("Cmd failed with err %v, output: %s", err, out) | ||
} | ||
sout := strings.TrimSpace(string(out)) | ||
want := "root" | ||
if sout != want { | ||
t.Fatalf("whoami = %q; want %q", out, want) | ||
} | ||
} | ||
|
||
func TestCloneNEWUSERAndRemapRootDisableSetgroups(t *testing.T) { | ||
if os.Getuid() != 0 { | ||
t.Skip("skipping root only test") | ||
} | ||
testNEWUSERRemap(t, 0, false) | ||
} | ||
|
||
func TestCloneNEWUSERAndRemapRootEnableSetgroups(t *testing.T) { | ||
if os.Getuid() != 0 { | ||
t.Skip("skipping root only test") | ||
} | ||
testNEWUSERRemap(t, 0, false) | ||
} | ||
|
||
func TestCloneNEWUSERAndRemapNoRootDisableSetgroups(t *testing.T) { | ||
if os.Getuid() == 0 { | ||
t.Skip("skipping unprivileged user only test") | ||
} | ||
testNEWUSERRemap(t, os.Getuid(), false) | ||
} | ||
|
||
func TestCloneNEWUSERAndRemapNoRootSetgroupsEnableSetgroups(t *testing.T) { | ||
if os.Getuid() == 0 { | ||
t.Skip("skipping unprivileged user only test") | ||
} | ||
cmd := whoamiCmd(t, os.Getuid(), true) | ||
err := cmd.Run() | ||
if err == nil { | ||
t.Skip("probably old kernel without security fix") | ||
} | ||
if !strings.Contains(err.Error(), "operation not permitted") { | ||
t.Fatalf("Unprivileged gid_map rewriting with GidMappingsEnableSetgroups must fail") | ||
} | ||
} |