1 // Copyright 2011 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // +build linux 6 7 package syscall 8 9 import ( 10 "runtime" 11 "unsafe" 12 ) 13 14 // SysProcIDMap holds Container ID to Host ID mappings used for User Namespaces in Linux. 15 // See user_namespaces(7). 16 type SysProcIDMap struct { 17 ContainerID int // Container ID. 18 HostID int // Host ID. 19 Size int // Size. 20 } 21 22 type SysProcAttr struct { 23 Chroot string // Chroot. 24 Credential *Credential // Credential. 25 // Ptrace tells the child to call ptrace(PTRACE_TRACEME). 26 // Call runtime.LockOSThread before starting a process with this set, 27 // and don't call UnlockOSThread until done with PtraceSyscall calls. 28 Ptrace bool 29 Setsid bool // Create session. 30 Setpgid bool // Set process group ID to Pgid, or, if Pgid == 0, to new pid. 31 Setctty bool // Set controlling terminal to fd Ctty (only meaningful if Setsid is set) 32 Noctty bool // Detach fd 0 from controlling terminal 33 Ctty int // Controlling TTY fd 34 Foreground bool // Place child's process group in foreground. (Implies Setpgid. Uses Ctty as fd of controlling TTY) 35 Pgid int // Child's process group ID if Setpgid. 36 Pdeathsig Signal // Signal that the process will get when its parent dies (Linux only) 37 Cloneflags uintptr // Flags for clone calls (Linux only) 38 Unshareflags uintptr // Flags for unshare calls (Linux only) 39 UidMappings []SysProcIDMap // User ID mappings for user namespaces. 40 GidMappings []SysProcIDMap // Group ID mappings for user namespaces. 41 // GidMappingsEnableSetgroups enabling setgroups syscall. 42 // If false, then setgroups syscall will be disabled for the child process. 43 // This parameter is no-op if GidMappings == nil. Otherwise for unprivileged 44 // users this should be set to false for mappings work. 45 GidMappingsEnableSetgroups bool 46 AmbientCaps []uintptr // Ambient capabilities (Linux only) 47 } 48 49 var ( 50 none = [...]byte{'n', 'o', 'n', 'e', 0} 51 slash = [...]byte{'/', 0} 52 ) 53 54 // Implemented in runtime package. 55 func runtime_BeforeFork() 56 func runtime_AfterFork() 57 func runtime_AfterForkInChild() 58 59 // Fork, dup fd onto 0..len(fd), and exec(argv0, argvv, envv) in child. 60 // If a dup or exec fails, write the errno error to pipe. 61 // (Pipe is close-on-exec so if exec succeeds, it will be closed.) 62 // In the child, this function must not acquire any locks, because 63 // they might have been locked at the time of the fork. This means 64 // no rescheduling, no malloc calls, and no new stack segments. 65 // For the same reason compiler does not race instrument it. 66 // The calls to RawSyscall are okay because they are assembly 67 // functions that do not grow the stack. 68 //go:norace 69 func forkAndExecInChild(argv0 *byte, argv, envv []*byte, chroot, dir *byte, attr *ProcAttr, sys *SysProcAttr, pipe int) (pid int, err Errno) { 70 // Set up and fork. This returns immediately in the parent or 71 // if there's an error. 72 r1, err1, p, locked := forkAndExecInChild1(argv0, argv, envv, chroot, dir, attr, sys, pipe) 73 if locked { 74 runtime_AfterFork() 75 } 76 if err1 != 0 { 77 return 0, err1 78 } 79 80 // parent; return PID 81 pid = int(r1) 82 83 if sys.UidMappings != nil || sys.GidMappings != nil { 84 Close(p[0]) 85 err := writeUidGidMappings(pid, sys) 86 var err2 Errno 87 if err != nil { 88 err2 = err.(Errno) 89 } 90 RawSyscall(SYS_WRITE, uintptr(p[1]), uintptr(unsafe.Pointer(&err2)), unsafe.Sizeof(err2)) 91 Close(p[1]) 92 } 93 94 return pid, 0 95 } 96 97 // forkAndExecInChild1 implements the body of forkAndExecInChild up to 98 // the parent's post-fork path. This is a separate function so we can 99 // separate the child's and parent's stack frames if we're using 100 // vfork. 101 // 102 // This is go:noinline because the point is to keep the stack frames 103 // of this and forkAndExecInChild separate. 104 // 105 //go:noinline 106 //go:norace 107 func forkAndExecInChild1(argv0 *byte, argv, envv []*byte, chroot, dir *byte, attr *ProcAttr, sys *SysProcAttr, pipe int) (r1 uintptr, err1 Errno, p [2]int, locked bool) { 108 // Defined in linux/prctl.h starting with Linux 4.3. 109 const ( 110 PR_CAP_AMBIENT = 0x2f 111 PR_CAP_AMBIENT_RAISE = 0x2 112 ) 113 114 // vfork requires that the child not touch any of the parent's 115 // active stack frames. Hence, the child does all post-fork 116 // processing in this stack frame and never returns, while the 117 // parent returns immediately from this frame and does all 118 // post-fork processing in the outer frame. 119 // Declare all variables at top in case any 120 // declarations require heap allocation (e.g., err1). 121 var ( 122 err2 Errno 123 nextfd int 124 i int 125 ) 126 127 // Record parent PID so child can test if it has died. 128 ppid, _ := rawSyscallNoError(SYS_GETPID, 0, 0, 0) 129 130 // Guard against side effects of shuffling fds below. 131 // Make sure that nextfd is beyond any currently open files so 132 // that we can't run the risk of overwriting any of them. 133 fd := make([]int, len(attr.Files)) 134 nextfd = len(attr.Files) 135 for i, ufd := range attr.Files { 136 if nextfd < int(ufd) { 137 nextfd = int(ufd) 138 } 139 fd[i] = int(ufd) 140 } 141 nextfd++ 142 143 // Allocate another pipe for parent to child communication for 144 // synchronizing writing of User ID/Group ID mappings. 145 if sys.UidMappings != nil || sys.GidMappings != nil { 146 if err := forkExecPipe(p[:]); err != nil { 147 err1 = err.(Errno) 148 return 149 } 150 } 151 152 // About to call fork. 153 // No more allocation or calls of non-assembly functions. 154 runtime_BeforeFork() 155 locked = true 156 switch { 157 case runtime.GOARCH == "amd64" && sys.Cloneflags&CLONE_NEWUSER == 0: 158 r1, err1 = rawVforkSyscall(SYS_CLONE, uintptr(SIGCHLD|CLONE_VFORK|CLONE_VM)|sys.Cloneflags) 159 case runtime.GOARCH == "s390x": 160 r1, _, err1 = RawSyscall6(SYS_CLONE, 0, uintptr(SIGCHLD)|sys.Cloneflags, 0, 0, 0, 0) 161 default: 162 r1, _, err1 = RawSyscall6(SYS_CLONE, uintptr(SIGCHLD)|sys.Cloneflags, 0, 0, 0, 0, 0) 163 } 164 if err1 != 0 || r1 != 0 { 165 // If we're in the parent, we must return immediately 166 // so we're not in the same stack frame as the child. 167 // This can at most use the return PC, which the child 168 // will not modify, and the results of 169 // rawVforkSyscall, which must have been written after 170 // the child was replaced. 171 return 172 } 173 174 // Fork succeeded, now in child. 175 176 runtime_AfterForkInChild() 177 178 // Enable the "keep capabilities" flag to set ambient capabilities later. 179 if len(sys.AmbientCaps) > 0 { 180 _, _, err1 = RawSyscall6(SYS_PRCTL, PR_SET_KEEPCAPS, 1, 0, 0, 0, 0) 181 if err1 != 0 { 182 goto childerror 183 } 184 } 185 186 // Wait for User ID/Group ID mappings to be written. 187 if sys.UidMappings != nil || sys.GidMappings != nil { 188 if _, _, err1 = RawSyscall(SYS_CLOSE, uintptr(p[1]), 0, 0); err1 != 0 { 189 goto childerror 190 } 191 r1, _, err1 = RawSyscall(SYS_READ, uintptr(p[0]), uintptr(unsafe.Pointer(&err2)), unsafe.Sizeof(err2)) 192 if err1 != 0 { 193 goto childerror 194 } 195 if r1 != unsafe.Sizeof(err2) { 196 err1 = EINVAL 197 goto childerror 198 } 199 if err2 != 0 { 200 err1 = err2 201 goto childerror 202 } 203 } 204 205 // Session ID 206 if sys.Setsid { 207 _, _, err1 = RawSyscall(SYS_SETSID, 0, 0, 0) 208 if err1 != 0 { 209 goto childerror 210 } 211 } 212 213 // Set process group 214 if sys.Setpgid || sys.Foreground { 215 // Place child in process group. 216 _, _, err1 = RawSyscall(SYS_SETPGID, 0, uintptr(sys.Pgid), 0) 217 if err1 != 0 { 218 goto childerror 219 } 220 } 221 222 if sys.Foreground { 223 pgrp := int32(sys.Pgid) 224 if pgrp == 0 { 225 r1, _ = rawSyscallNoError(SYS_GETPID, 0, 0, 0) 226 227 pgrp = int32(r1) 228 } 229 230 // Place process group in foreground. 231 _, _, err1 = RawSyscall(SYS_IOCTL, uintptr(sys.Ctty), uintptr(TIOCSPGRP), uintptr(unsafe.Pointer(&pgrp))) 232 if err1 != 0 { 233 goto childerror 234 } 235 } 236 237 // Unshare 238 if sys.Unshareflags != 0 { 239 _, _, err1 = RawSyscall(SYS_UNSHARE, sys.Unshareflags, 0, 0) 240 if err1 != 0 { 241 goto childerror 242 } 243 // The unshare system call in Linux doesn't unshare mount points 244 // mounted with --shared. Systemd mounts / with --shared. For a 245 // long discussion of the pros and cons of this see debian bug 739593. 246 // The Go model of unsharing is more like Plan 9, where you ask 247 // to unshare and the namespaces are unconditionally unshared. 248 // To make this model work we must further mark / as MS_PRIVATE. 249 // This is what the standard unshare command does. 250 if sys.Unshareflags&CLONE_NEWNS == CLONE_NEWNS { 251 _, _, err1 = RawSyscall6(SYS_MOUNT, uintptr(unsafe.Pointer(&none[0])), uintptr(unsafe.Pointer(&slash[0])), 0, MS_REC|MS_PRIVATE, 0, 0) 252 if err1 != 0 { 253 goto childerror 254 } 255 } 256 } 257 258 // Chroot 259 if chroot != nil { 260 _, _, err1 = RawSyscall(SYS_CHROOT, uintptr(unsafe.Pointer(chroot)), 0, 0) 261 if err1 != 0 { 262 goto childerror 263 } 264 } 265 266 // User and groups 267 if cred := sys.Credential; cred != nil { 268 ngroups := uintptr(len(cred.Groups)) 269 groups := uintptr(0) 270 if ngroups > 0 { 271 groups = uintptr(unsafe.Pointer(&cred.Groups[0])) 272 } 273 if !(sys.GidMappings != nil && !sys.GidMappingsEnableSetgroups && ngroups == 0) && !cred.NoSetGroups { 274 _, _, err1 = RawSyscall(_SYS_setgroups, ngroups, groups, 0) 275 if err1 != 0 { 276 goto childerror 277 } 278 } 279 _, _, err1 = RawSyscall(sys_SETGID, uintptr(cred.Gid), 0, 0) 280 if err1 != 0 { 281 goto childerror 282 } 283 _, _, err1 = RawSyscall(sys_SETUID, uintptr(cred.Uid), 0, 0) 284 if err1 != 0 { 285 goto childerror 286 } 287 } 288 289 for _, c := range sys.AmbientCaps { 290 _, _, err1 = RawSyscall6(SYS_PRCTL, PR_CAP_AMBIENT, uintptr(PR_CAP_AMBIENT_RAISE), c, 0, 0, 0) 291 if err1 != 0 { 292 goto childerror 293 } 294 } 295 296 // Chdir 297 if dir != nil { 298 _, _, err1 = RawSyscall(SYS_CHDIR, uintptr(unsafe.Pointer(dir)), 0, 0) 299 if err1 != 0 { 300 goto childerror 301 } 302 } 303 304 // Parent death signal 305 if sys.Pdeathsig != 0 { 306 _, _, err1 = RawSyscall6(SYS_PRCTL, PR_SET_PDEATHSIG, uintptr(sys.Pdeathsig), 0, 0, 0, 0) 307 if err1 != 0 { 308 goto childerror 309 } 310 311 // Signal self if parent is already dead. This might cause a 312 // duplicate signal in rare cases, but it won't matter when 313 // using SIGKILL. 314 r1, _ = rawSyscallNoError(SYS_GETPPID, 0, 0, 0) 315 if r1 != ppid { 316 pid, _ := rawSyscallNoError(SYS_GETPID, 0, 0, 0) 317 _, _, err1 := RawSyscall(SYS_KILL, pid, uintptr(sys.Pdeathsig), 0) 318 if err1 != 0 { 319 goto childerror 320 } 321 } 322 } 323 324 // Pass 1: look for fd[i] < i and move those up above len(fd) 325 // so that pass 2 won't stomp on an fd it needs later. 326 if pipe < nextfd { 327 _, _, err1 = RawSyscall(_SYS_dup, uintptr(pipe), uintptr(nextfd), 0) 328 if err1 != 0 { 329 goto childerror 330 } 331 RawSyscall(SYS_FCNTL, uintptr(nextfd), F_SETFD, FD_CLOEXEC) 332 pipe = nextfd 333 nextfd++ 334 } 335 for i = 0; i < len(fd); i++ { 336 if fd[i] >= 0 && fd[i] < int(i) { 337 if nextfd == pipe { // don't stomp on pipe 338 nextfd++ 339 } 340 _, _, err1 = RawSyscall(_SYS_dup, uintptr(fd[i]), uintptr(nextfd), 0) 341 if err1 != 0 { 342 goto childerror 343 } 344 RawSyscall(SYS_FCNTL, uintptr(nextfd), F_SETFD, FD_CLOEXEC) 345 fd[i] = nextfd 346 nextfd++ 347 } 348 } 349 350 // Pass 2: dup fd[i] down onto i. 351 for i = 0; i < len(fd); i++ { 352 if fd[i] == -1 { 353 RawSyscall(SYS_CLOSE, uintptr(i), 0, 0) 354 continue 355 } 356 if fd[i] == int(i) { 357 // dup2(i, i) won't clear close-on-exec flag on Linux, 358 // probably not elsewhere either. 359 _, _, err1 = RawSyscall(SYS_FCNTL, uintptr(fd[i]), F_SETFD, 0) 360 if err1 != 0 { 361 goto childerror 362 } 363 continue 364 } 365 // The new fd is created NOT close-on-exec, 366 // which is exactly what we want. 367 _, _, err1 = RawSyscall(_SYS_dup, uintptr(fd[i]), uintptr(i), 0) 368 if err1 != 0 { 369 goto childerror 370 } 371 } 372 373 // By convention, we don't close-on-exec the fds we are 374 // started with, so if len(fd) < 3, close 0, 1, 2 as needed. 375 // Programs that know they inherit fds >= 3 will need 376 // to set them close-on-exec. 377 for i = len(fd); i < 3; i++ { 378 RawSyscall(SYS_CLOSE, uintptr(i), 0, 0) 379 } 380 381 // Detach fd 0 from tty 382 if sys.Noctty { 383 _, _, err1 = RawSyscall(SYS_IOCTL, 0, uintptr(TIOCNOTTY), 0) 384 if err1 != 0 { 385 goto childerror 386 } 387 } 388 389 // Set the controlling TTY to Ctty 390 if sys.Setctty { 391 _, _, err1 = RawSyscall(SYS_IOCTL, uintptr(sys.Ctty), uintptr(TIOCSCTTY), 1) 392 if err1 != 0 { 393 goto childerror 394 } 395 } 396 397 // Enable tracing if requested. 398 // Do this right before exec so that we don't unnecessarily trace the runtime 399 // setting up after the fork. See issue #21428. 400 if sys.Ptrace { 401 _, _, err1 = RawSyscall(SYS_PTRACE, uintptr(PTRACE_TRACEME), 0, 0) 402 if err1 != 0 { 403 goto childerror 404 } 405 } 406 407 // Time to exec. 408 _, _, err1 = RawSyscall(SYS_EXECVE, 409 uintptr(unsafe.Pointer(argv0)), 410 uintptr(unsafe.Pointer(&argv[0])), 411 uintptr(unsafe.Pointer(&envv[0]))) 412 413 childerror: 414 // send error code on pipe 415 RawSyscall(SYS_WRITE, uintptr(pipe), uintptr(unsafe.Pointer(&err1)), unsafe.Sizeof(err1)) 416 for { 417 RawSyscall(SYS_EXIT, 253, 0, 0) 418 } 419 } 420 421 // Try to open a pipe with O_CLOEXEC set on both file descriptors. 422 func forkExecPipe(p []int) (err error) { 423 err = Pipe2(p, O_CLOEXEC) 424 // pipe2 was added in 2.6.27 and our minimum requirement is 2.6.23, so it 425 // might not be implemented. 426 if err == ENOSYS { 427 if err = Pipe(p); err != nil { 428 return 429 } 430 if _, err = fcntl(p[0], F_SETFD, FD_CLOEXEC); err != nil { 431 return 432 } 433 _, err = fcntl(p[1], F_SETFD, FD_CLOEXEC) 434 } 435 return 436 } 437 438 // writeIDMappings writes the user namespace User ID or Group ID mappings to the specified path. 439 func writeIDMappings(path string, idMap []SysProcIDMap) error { 440 fd, err := Open(path, O_RDWR, 0) 441 if err != nil { 442 return err 443 } 444 445 data := "" 446 for _, im := range idMap { 447 data = data + itoa(im.ContainerID) + " " + itoa(im.HostID) + " " + itoa(im.Size) + "\n" 448 } 449 450 bytes, err := ByteSliceFromString(data) 451 if err != nil { 452 Close(fd) 453 return err 454 } 455 456 if _, err := Write(fd, bytes); err != nil { 457 Close(fd) 458 return err 459 } 460 461 if err := Close(fd); err != nil { 462 return err 463 } 464 465 return nil 466 } 467 468 // writeSetgroups writes to /proc/PID/setgroups "deny" if enable is false 469 // and "allow" if enable is true. 470 // This is needed since kernel 3.19, because you can't write gid_map without 471 // disabling setgroups() system call. 472 func writeSetgroups(pid int, enable bool) error { 473 sgf := "/proc/" + itoa(pid) + "/setgroups" 474 fd, err := Open(sgf, O_RDWR, 0) 475 if err != nil { 476 return err 477 } 478 479 var data []byte 480 if enable { 481 data = []byte("allow") 482 } else { 483 data = []byte("deny") 484 } 485 486 if _, err := Write(fd, data); err != nil { 487 Close(fd) 488 return err 489 } 490 491 return Close(fd) 492 } 493 494 // writeUidGidMappings writes User ID and Group ID mappings for user namespaces 495 // for a process and it is called from the parent process. 496 func writeUidGidMappings(pid int, sys *SysProcAttr) error { 497 if sys.UidMappings != nil { 498 uidf := "/proc/" + itoa(pid) + "/uid_map" 499 if err := writeIDMappings(uidf, sys.UidMappings); err != nil { 500 return err 501 } 502 } 503 504 if sys.GidMappings != nil { 505 // If the kernel is too old to support /proc/PID/setgroups, writeSetGroups will return ENOENT; this is OK. 506 if err := writeSetgroups(pid, sys.GidMappingsEnableSetgroups); err != nil && err != ENOENT { 507 return err 508 } 509 gidf := "/proc/" + itoa(pid) + "/gid_map" 510 if err := writeIDMappings(gidf, sys.GidMappings); err != nil { 511 return err 512 } 513 } 514 515 return nil 516 } 517
View as plain text