New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syscall: SysProcAttr.AmbientCaps fails when creating a new user namespace and creator is not root #23152

Open
Omnifarious opened this Issue Dec 15, 2017 · 9 comments

Comments

Projects
None yet
5 participants
@Omnifarious

Omnifarious commented Dec 15, 2017

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

1.9.2

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

Linux - amd64

What did you do?

cmd := exec.Command("/bin/sh")
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
cmd.SysProcAttr  = &syscall.SysProcAttr{
	Cloneflags : syscall.CLONE_NEWNS | syscall.CLONE_NEWIPC |
	             syscall.CLONE_NEWNET | syscall.CLONE_NEWPID |
                 syscall.CLONE_NEWUSER,
	UidMappings: []syscall.SysProcIDMap {
		{
			ContainerID: os.Getuid(),
			HostID: 	os.Getuid(),
			Size:		1,
		},
	},
	GidMappings: []syscall.SysProcIDMap {
		{
			ContainerID: os.Getgid(),
			HostID: 	os.Getgid(),
			Size:		1,
		},
	},
	AmbientCaps: []uintptr { 8, 21 },
}
    err := cmd.Start()

I ran this code as a non-root user and the process had no capabilities.

If possible, provide a recipe for reproducing the error.
A complete runnable program is good.
A link on play.golang.org is best.

What did you expect to see?

I expected the shell started in my new namespace to have certain capabilities.

What did you see instead?

An error from cmd.Start() when calling prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, ...) stating that there was an EPERM error.

@Omnifarious

This comment has been minimized.

Omnifarious commented Dec 15, 2017

I do have a changeset that solves this issue:

Omnifarious@5de289a

@ianlancetaylor ianlancetaylor changed the title from SysProcAttr.AmbientCaps fails when creating a new user namespace and creator is not root to syscall: SysProcAttr.AmbientCaps fails when creating a new user namespace and creator is not root Dec 15, 2017

@ianlancetaylor ianlancetaylor added this to the Go1.11 milestone Dec 15, 2017

@ianlancetaylor

This comment has been minimized.

Contributor

ianlancetaylor commented Dec 15, 2017

@stapelberg

This comment has been minimized.

Contributor

stapelberg commented Dec 15, 2017

I indeed missed this use case when originally introducing the change.

I can confirm that the proposed change does not break things for me, so LGTM from my end.

@ianlancetaylor

This comment has been minimized.

Contributor

ianlancetaylor commented Dec 15, 2017

@Omnifarious Would you be willing to submit the change through the contribution process, which is described at https://golang.org/doc/contribute.html? Thanks.

@Omnifarious

This comment has been minimized.

Omnifarious commented Dec 15, 2017

Realistically speaking, there is no way I'll ever take the time to do all of that. This is the only thing I currently anticipate ever contributing to Go. It's about 40 lines of code. It simply adds capabilities that someone wants to be in the ambient set to the inheritable set. I expect, in fact, that I've done it wrong, even though the code works for my particular case.

@Omnifarious

This comment has been minimized.

Omnifarious commented Mar 13, 2018

So, I had a bunch of time on my hands, and went through the process described there. What do I use for a Change-ID? Never mind. I forgot the weird Gerrit process from I tried to set it up a few years ago at a place I worked. We gave up and just used GitHub instead because Gerrit was heavy and didn't make a lot of sense to the developers.

https://go-review.googlesource.com/c/go/+/100315

@stapelberg

This comment has been minimized.

Contributor

stapelberg commented Mar 13, 2018

Thanks for taking the time.

The change-id will be filled in automatically when you mail out the change.

You can also submit your change as a pull request, which will automatically import it into gerrit.

@gopherbot

This comment has been minimized.

gopherbot commented Mar 14, 2018

Change https://golang.org/cl/100315 mentions this issue: syscall: add capabilities to inheritable set before adding to ambient set

@ianlancetaylor ianlancetaylor modified the milestones: Go1.11, Go1.12 Jun 29, 2018

@ebfe

This comment has been minimized.

Contributor

ebfe commented Nov 16, 2018

Having this would also alleviate the need for #12125 since it would allow the execed process to retain the capabilities needed to do the bind mounts. Is there anything one can do to help moving this forward?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment