Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syscall: Unshareflags CLONE_NEWUSER (unprivileged user namespaces) does not work with uid/gid mappings (Linux) #29789

Closed
stapelberg opened this issue Jan 17, 2019 · 4 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@stapelberg
Copy link
Contributor

stapelberg commented Jan 17, 2019

What version of Go are you using (go version)?

$ go version
go version devel +006a5e7d00 Thu Jan 17 01:28:22 2019 +0000 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/usr/local/google/home/stapelberg/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/usr/local/google/home/stapelberg/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/google/home/stapelberg/upstream-go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/google/home/stapelberg/upstream-go/pkg/tool/linux_amd64"
GCCGO="/usr/bin/gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build406535096=/tmp/go-build -gno-record-gcc-switches"

What did you do?

https://play.golang.org/p/CiH9UtCuYzQ demonstrates what I’m trying to do in two ways: once with unshare(1), which is working, and once purely in Go, where the process hangs (!):

	cmd.SysProcAttr = &syscall.SysProcAttr{
		Unshareflags:               unix.CLONE_NEWNS | unix.CLONE_NEWUSER,
		GidMappingsEnableSetgroups: false,
		UidMappings: []syscall.SysProcIDMap{
			{
				ContainerID: 0,
				HostID:      syscall.Getuid(),
				Size:        1,
			},
		},
		GidMappings: []syscall.SysProcIDMap{
			{
				ContainerID: 0,
				HostID:      syscall.Getgid(),
				Size:        1,
			},
		},
	}

(Relevant code snippet pasted for discoverability of this issue.)

Even after fixing the hang, the uid/gid mapping fails with EPERM, because Go tries to apply them from the parent process, but they need to be applied in the child, after unshare(2).

I’ve sent https://go-review.googlesource.com/c/go/+/158297/1 and https://go-review.googlesource.com/c/go/+/158298 to fix this.

@bradfitz
Copy link
Contributor

Does this issue reproduce with the latest release?
Yes.

Do you mean Go 1.11 or Go 1.12beta2?

If this isn't a regression from Go 1.11, then this is Go 1.13 material.

@gopherbot
Copy link

Change https://golang.org/cl/158297 mentions this issue: Fix hang when using Unshareflags: CLONE_NEWUSER with uid/gid mapping

@bradfitz bradfitz added this to the Go1.13 milestone Jan 17, 2019
@gopherbot
Copy link

Change https://golang.org/cl/158298 mentions this issue: Correctly set up uid/gid mappings in user namespaces

@bradfitz bradfitz added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jan 17, 2019
@bradfitz bradfitz changed the title os/exec: Unshareflags CLONE_NEWUSER (unprivileged user namespaces) does not work with uid/gid mappings syscall: Unshareflags CLONE_NEWUSER (unprivileged user namespaces) does not work with uid/gid mappings (Linux) Jan 17, 2019
@stapelberg
Copy link
Contributor Author

Do you mean Go 1.11 or Go 1.12beta2?

If this isn't a regression from Go 1.11, then this is Go 1.13 material.

This issue is reproducible with Go 1.11.4, Go 1.12beta2 and tip.

gopherbot pushed a commit that referenced this issue Mar 6, 2019
… mapping (linux)

Note that this particular combination of properties still fails (EPERM), but it
no longer hangs.

Updates #29789

Change-Id: I29b15b85a25a7acd7ae89ffc5fed074bcdfe0a12
Reviewed-on: https://go-review.googlesource.com/c/go/+/158297
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
sipsma pushed a commit to sipsma/go that referenced this issue Jun 23, 2019
… mapping (linux)

Note that this particular combination of properties still fails (EPERM), but it
no longer hangs.

Updates golang#29789

Change-Id: I29b15b85a25a7acd7ae89ffc5fed074bcdfe0a12
Reviewed-on: https://go-review.googlesource.com/c/go/+/158297
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
sipsma pushed a commit to sipsma/go that referenced this issue Jun 23, 2019
Before this CL, uid/gid mapping was always set up from the parent
process, which is a privileged operation.

When using unprivileged user namespaces, a process can modify its
uid/gid mapping after the unshare(2) call (but setting the uid/gid
mapping from another process is NOT possible).

Fixes golang#29789

Change-Id: I8c96a03f5da23fe80bbb83ef051ad89cf185d750
Reviewed-on: https://go-review.googlesource.com/c/go/+/158298
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
@golang golang locked and limited conversation to collaborators Mar 11, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

3 participants