Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syscall: Unshareflags CLONE_NEWUSER (unprivileged user namespaces) does not work with uid/gid mappings (Linux) #29789

Closed
stapelberg opened this issue Jan 17, 2019 · 4 comments

Comments

@stapelberg
Copy link
Contributor

commented Jan 17, 2019

What version of Go are you using (go version)?

$ go version
go version devel +006a5e7d00 Thu Jan 17 01:28:22 2019 +0000 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/usr/local/google/home/stapelberg/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/usr/local/google/home/stapelberg/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/google/home/stapelberg/upstream-go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/google/home/stapelberg/upstream-go/pkg/tool/linux_amd64"
GCCGO="/usr/bin/gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build406535096=/tmp/go-build -gno-record-gcc-switches"

What did you do?

https://play.golang.org/p/CiH9UtCuYzQ demonstrates what I’m trying to do in two ways: once with unshare(1), which is working, and once purely in Go, where the process hangs (!):

	cmd.SysProcAttr = &syscall.SysProcAttr{
		Unshareflags:               unix.CLONE_NEWNS | unix.CLONE_NEWUSER,
		GidMappingsEnableSetgroups: false,
		UidMappings: []syscall.SysProcIDMap{
			{
				ContainerID: 0,
				HostID:      syscall.Getuid(),
				Size:        1,
			},
		},
		GidMappings: []syscall.SysProcIDMap{
			{
				ContainerID: 0,
				HostID:      syscall.Getgid(),
				Size:        1,
			},
		},
	}

(Relevant code snippet pasted for discoverability of this issue.)

Even after fixing the hang, the uid/gid mapping fails with EPERM, because Go tries to apply them from the parent process, but they need to be applied in the child, after unshare(2).

I’ve sent https://go-review.googlesource.com/c/go/+/158297/1 and https://go-review.googlesource.com/c/go/+/158298 to fix this.

@bradfitz

This comment has been minimized.

Copy link
Member

commented Jan 17, 2019

Does this issue reproduce with the latest release?
Yes.

Do you mean Go 1.11 or Go 1.12beta2?

If this isn't a regression from Go 1.11, then this is Go 1.13 material.

@gopherbot

This comment has been minimized.

Copy link

commented Jan 17, 2019

Change https://golang.org/cl/158297 mentions this issue: Fix hang when using Unshareflags: CLONE_NEWUSER with uid/gid mapping

@bradfitz bradfitz added this to the Go1.13 milestone Jan 17, 2019

@gopherbot

This comment has been minimized.

Copy link

commented Jan 17, 2019

Change https://golang.org/cl/158298 mentions this issue: Correctly set up uid/gid mappings in user namespaces

@bradfitz bradfitz changed the title os/exec: Unshareflags CLONE_NEWUSER (unprivileged user namespaces) does not work with uid/gid mappings syscall: Unshareflags CLONE_NEWUSER (unprivileged user namespaces) does not work with uid/gid mappings (Linux) Jan 17, 2019

@stapelberg

This comment has been minimized.

Copy link
Contributor Author

commented Jan 17, 2019

Do you mean Go 1.11 or Go 1.12beta2?

If this isn't a regression from Go 1.11, then this is Go 1.13 material.

This issue is reproducible with Go 1.11.4, Go 1.12beta2 and tip.

gopherbot pushed a commit that referenced this issue Mar 6, 2019
syscall: fix hang when using Unshareflags: CLONE_NEWUSER with uid/gid…
… mapping (linux)

Note that this particular combination of properties still fails (EPERM), but it
no longer hangs.

Updates #29789

Change-Id: I29b15b85a25a7acd7ae89ffc5fed074bcdfe0a12
Reviewed-on: https://go-review.googlesource.com/c/go/+/158297
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>

@gopherbot gopherbot closed this in 2bd28ce Mar 12, 2019

sipsma added a commit to sipsma/go that referenced this issue Jun 23, 2019
syscall: fix hang when using Unshareflags: CLONE_NEWUSER with uid/gid…
… mapping (linux)

Note that this particular combination of properties still fails (EPERM), but it
no longer hangs.

Updates golang#29789

Change-Id: I29b15b85a25a7acd7ae89ffc5fed074bcdfe0a12
Reviewed-on: https://go-review.googlesource.com/c/go/+/158297
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
sipsma added a commit to sipsma/go that referenced this issue Jun 23, 2019
syscall: correctly set up uid/gid mappings in user namespaces
Before this CL, uid/gid mapping was always set up from the parent
process, which is a privileged operation.

When using unprivileged user namespaces, a process can modify its
uid/gid mapping after the unshare(2) call (but setting the uid/gid
mapping from another process is NOT possible).

Fixes golang#29789

Change-Id: I8c96a03f5da23fe80bbb83ef051ad89cf185d750
Reviewed-on: https://go-review.googlesource.com/c/go/+/158298
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.