Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syscall: SysProcAttr.AmbientCaps fails when creating a new user namespace and creator is not root #23152

Closed
Omnifarious opened this issue Dec 15, 2017 · 10 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@Omnifarious
Copy link

Omnifarious commented Dec 15, 2017

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

1.9.2

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

Linux - amd64

What did you do?

cmd := exec.Command("/bin/sh")
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
cmd.SysProcAttr  = &syscall.SysProcAttr{
	Cloneflags : syscall.CLONE_NEWNS | syscall.CLONE_NEWIPC |
	             syscall.CLONE_NEWNET | syscall.CLONE_NEWPID |
                 syscall.CLONE_NEWUSER,
	UidMappings: []syscall.SysProcIDMap {
		{
			ContainerID: os.Getuid(),
			HostID: 	os.Getuid(),
			Size:		1,
		},
	},
	GidMappings: []syscall.SysProcIDMap {
		{
			ContainerID: os.Getgid(),
			HostID: 	os.Getgid(),
			Size:		1,
		},
	},
	AmbientCaps: []uintptr { 8, 21 },
}
    err := cmd.Start()

I ran this code as a non-root user and the process had no capabilities.

If possible, provide a recipe for reproducing the error.
A complete runnable program is good.
A link on play.golang.org is best.

What did you expect to see?

I expected the shell started in my new namespace to have certain capabilities.

What did you see instead?

An error from cmd.Start() when calling prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, ...) stating that there was an EPERM error.

@Omnifarious
Copy link
Author

I do have a changeset that solves this issue:

Omnifarious@5de289a

@ianlancetaylor ianlancetaylor changed the title SysProcAttr.AmbientCaps fails when creating a new user namespace and creator is not root syscall: SysProcAttr.AmbientCaps fails when creating a new user namespace and creator is not root Dec 15, 2017
@ianlancetaylor ianlancetaylor added this to the Go1.11 milestone Dec 15, 2017
@ianlancetaylor ianlancetaylor added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Dec 15, 2017
@ianlancetaylor
Copy link
Contributor

CC @stapelberg

@stapelberg
Copy link
Contributor

I indeed missed this use case when originally introducing the change.

I can confirm that the proposed change does not break things for me, so LGTM from my end.

@ianlancetaylor
Copy link
Contributor

@Omnifarious Would you be willing to submit the change through the contribution process, which is described at https://golang.org/doc/contribute.html? Thanks.

@Omnifarious
Copy link
Author

Realistically speaking, there is no way I'll ever take the time to do all of that. This is the only thing I currently anticipate ever contributing to Go. It's about 40 lines of code. It simply adds capabilities that someone wants to be in the ambient set to the inheritable set. I expect, in fact, that I've done it wrong, even though the code works for my particular case.

@Omnifarious
Copy link
Author

Omnifarious commented Mar 13, 2018

So, I had a bunch of time on my hands, and went through the process described there. What do I use for a Change-ID? Never mind. I forgot the weird Gerrit process from I tried to set it up a few years ago at a place I worked. We gave up and just used GitHub instead because Gerrit was heavy and didn't make a lot of sense to the developers.

https://go-review.googlesource.com/c/go/+/100315

@stapelberg
Copy link
Contributor

Thanks for taking the time.

The change-id will be filled in automatically when you mail out the change.

You can also submit your change as a pull request, which will automatically import it into gerrit.

@gopherbot
Copy link

Change https://golang.org/cl/100315 mentions this issue: syscall: add capabilities to inheritable set before adding to ambient set

@ianlancetaylor ianlancetaylor modified the milestones: Go1.11, Go1.12 Jun 29, 2018
@ebfe
Copy link
Contributor

ebfe commented Nov 16, 2018

Having this would also alleviate the need for #12125 since it would allow the execed process to retain the capabilities needed to do the bind mounts. Is there anything one can do to help moving this forward?

@gopherbot
Copy link

Change https://golang.org/cl/156577 mentions this issue: syscall: add all ambient caps into the permitted and the inheritable sets

@bradfitz bradfitz modified the milestones: Go1.12, Go1.13 Jan 7, 2019
@golang golang locked and limited conversation to collaborators Mar 7, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

6 participants