exec_linux.go

Documentation: syscall

     1  // Copyright 2011 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // +build linux
     6  
     7  package syscall
     8  
     9  import (
    10  	"runtime"
    11  	"unsafe"
    12  )
    13  
    14  // SysProcIDMap holds Container ID to Host ID mappings used for User Namespaces in Linux.
    15  // See user_namespaces(7).
    16  type SysProcIDMap struct {
    17  	ContainerID int // Container ID.
    18  	HostID      int // Host ID.
    19  	Size        int // Size.
    20  }
    21  
    22  type SysProcAttr struct {
    23  	Chroot     string      // Chroot.
    24  	Credential *Credential // Credential.
    25  	// Ptrace tells the child to call ptrace(PTRACE_TRACEME).
    26  	// Call runtime.LockOSThread before starting a process with this set,
    27  	// and don't call UnlockOSThread until done with PtraceSyscall calls.
    28  	Ptrace       bool
    29  	Setsid       bool           // Create session.
    30  	Setpgid      bool           // Set process group ID to Pgid, or, if Pgid == 0, to new pid.
    31  	Setctty      bool           // Set controlling terminal to fd Ctty (only meaningful if Setsid is set)
    32  	Noctty       bool           // Detach fd 0 from controlling terminal
    33  	Ctty         int            // Controlling TTY fd
    34  	Foreground   bool           // Place child's process group in foreground. (Implies Setpgid. Uses Ctty as fd of controlling TTY)
    35  	Pgid         int            // Child's process group ID if Setpgid.
    36  	Pdeathsig    Signal         // Signal that the process will get when its parent dies (Linux only)
    37  	Cloneflags   uintptr        // Flags for clone calls (Linux only)
    38  	Unshareflags uintptr        // Flags for unshare calls (Linux only)
    39  	UidMappings  []SysProcIDMap // User ID mappings for user namespaces.
    40  	GidMappings  []SysProcIDMap // Group ID mappings for user namespaces.
    41  	// GidMappingsEnableSetgroups enabling setgroups syscall.
    42  	// If false, then setgroups syscall will be disabled for the child process.
    43  	// This parameter is no-op if GidMappings == nil. Otherwise for unprivileged
    44  	// users this should be set to false for mappings work.
    45  	GidMappingsEnableSetgroups bool
    46  	AmbientCaps                []uintptr // Ambient capabilities (Linux only)
    47  }
    48  
    49  var (
    50  	none  = [...]byte{'n', 'o', 'n', 'e', 0}
    51  	slash = [...]byte{'/', 0}
    52  )
    53  
    54  // Implemented in runtime package.
    55  func runtime_BeforeFork()
    56  func runtime_AfterFork()
    57  func runtime_AfterForkInChild()
    58  
    59  // Fork, dup fd onto 0..len(fd), and exec(argv0, argvv, envv) in child.
    60  // If a dup or exec fails, write the errno error to pipe.
    61  // (Pipe is close-on-exec so if exec succeeds, it will be closed.)
    62  // In the child, this function must not acquire any locks, because
    63  // they might have been locked at the time of the fork. This means
    64  // no rescheduling, no malloc calls, and no new stack segments.
    65  // For the same reason compiler does not race instrument it.
    66  // The calls to RawSyscall are okay because they are assembly
    67  // functions that do not grow the stack.
    68  //go:norace
    69  func forkAndExecInChild(argv0 *byte, argv, envv []*byte, chroot, dir *byte, attr *ProcAttr, sys *SysProcAttr, pipe int) (pid int, err Errno) {
    70  	// Set up and fork. This returns immediately in the parent or
    71  	// if there's an error.
    72  	r1, err1, p, locked := forkAndExecInChild1(argv0, argv, envv, chroot, dir, attr, sys, pipe)
    73  	if locked {
    74  		runtime_AfterFork()
    75  	}
    76  	if err1 != 0 {
    77  		return 0, err1
    78  	}
    79  
    80  	// parent; return PID
    81  	pid = int(r1)
    82  
    83  	if sys.UidMappings != nil || sys.GidMappings != nil {
    84  		Close(p[0])
    85  		var err2 Errno
    86  		// uid/gid mappings will be written after fork and unshare(2) for user
    87  		// namespaces.
    88  		if sys.Unshareflags&CLONE_NEWUSER == 0 {
    89  			if err := writeUidGidMappings(pid, sys); err != nil {
    90  				err2 = err.(Errno)
    91  			}
    92  		}
    93  		RawSyscall(SYS_WRITE, uintptr(p[1]), uintptr(unsafe.Pointer(&err2)), unsafe.Sizeof(err2))
    94  		Close(p[1])
    95  	}
    96  
    97  	return pid, 0
    98  }
    99  
   100  const _LINUX_CAPABILITY_VERSION_3 = 0x20080522
   101  
   102  type capHeader struct {
   103  	version uint32
   104  	pid     int32
   105  }
   106  
   107  type capData struct {
   108  	effective   uint32
   109  	permitted   uint32
   110  	inheritable uint32
   111  }
   112  type caps struct {
   113  	hdr  capHeader
   114  	data [2]capData
   115  }
   116  
   117  // See CAP_TO_INDEX in linux/capability.h:
   118  func capToIndex(cap uintptr) uintptr { return cap >> 5 }
   119  
   120  // See CAP_TO_MASK in linux/capability.h:
   121  func capToMask(cap uintptr) uint32 { return 1 << uint(cap&31) }
   122  
   123  // forkAndExecInChild1 implements the body of forkAndExecInChild up to
   124  // the parent's post-fork path. This is a separate function so we can
   125  // separate the child's and parent's stack frames if we're using
   126  // vfork.
   127  //
   128  // This is go:noinline because the point is to keep the stack frames
   129  // of this and forkAndExecInChild separate.
   130  //
   131  //go:noinline
   132  //go:norace
   133  func forkAndExecInChild1(argv0 *byte, argv, envv []*byte, chroot, dir *byte, attr *ProcAttr, sys *SysProcAttr, pipe int) (r1 uintptr, err1 Errno, p [2]int, locked bool) {
   134  	// Defined in linux/prctl.h starting with Linux 4.3.
   135  	const (
   136  		PR_CAP_AMBIENT       = 0x2f
   137  		PR_CAP_AMBIENT_RAISE = 0x2
   138  	)
   139  
   140  	// vfork requires that the child not touch any of the parent's
   141  	// active stack frames. Hence, the child does all post-fork
   142  	// processing in this stack frame and never returns, while the
   143  	// parent returns immediately from this frame and does all
   144  	// post-fork processing in the outer frame.
   145  	// Declare all variables at top in case any
   146  	// declarations require heap allocation (e.g., err1).
   147  	var (
   148  		err2                      Errno
   149  		nextfd                    int
   150  		i                         int
   151  		caps                      caps
   152  		fd1                       uintptr
   153  		puid, psetgroups, pgid    []byte
   154  		uidmap, setgroups, gidmap []byte
   155  	)
   156  
   157  	if sys.UidMappings != nil {
   158  		puid = []byte("/proc/self/uid_map\000")
   159  		uidmap = formatIDMappings(sys.UidMappings)
   160  	}
   161  
   162  	if sys.GidMappings != nil {
   163  		psetgroups = []byte("/proc/self/setgroups\000")
   164  		pgid = []byte("/proc/self/gid_map\000")
   165  
   166  		if sys.GidMappingsEnableSetgroups {
   167  			setgroups = []byte("allow\000")
   168  		} else {
   169  			setgroups = []byte("deny\000")
   170  		}
   171  		gidmap = formatIDMappings(sys.GidMappings)
   172  	}
   173  
   174  	// Record parent PID so child can test if it has died.
   175  	ppid, _ := rawSyscallNoError(SYS_GETPID, 0, 0, 0)
   176  
   177  	// Guard against side effects of shuffling fds below.
   178  	// Make sure that nextfd is beyond any currently open files so
   179  	// that we can't run the risk of overwriting any of them.
   180  	fd := make([]int, len(attr.Files))
   181  	nextfd = len(attr.Files)
   182  	for i, ufd := range attr.Files {
   183  		if nextfd < int(ufd) {
   184  			nextfd = int(ufd)
   185  		}
   186  		fd[i] = int(ufd)
   187  	}
   188  	nextfd++
   189  
   190  	// Allocate another pipe for parent to child communication for
   191  	// synchronizing writing of User ID/Group ID mappings.
   192  	if sys.UidMappings != nil || sys.GidMappings != nil {
   193  		if err := forkExecPipe(p[:]); err != nil {
   194  			err1 = err.(Errno)
   195  			return
   196  		}
   197  	}
   198  
   199  	hasRawVforkSyscall := runtime.GOARCH == "amd64" || runtime.GOARCH == "ppc64" || runtime.GOARCH == "s390x" || runtime.GOARCH == "arm64"
   200  
   201  	// About to call fork.
   202  	// No more allocation or calls of non-assembly functions.
   203  	runtime_BeforeFork()
   204  	locked = true
   205  	switch {
   206  	case hasRawVforkSyscall && (sys.Cloneflags&CLONE_NEWUSER == 0 && sys.Unshareflags&CLONE_NEWUSER == 0):
   207  		r1, err1 = rawVforkSyscall(SYS_CLONE, uintptr(SIGCHLD|CLONE_VFORK|CLONE_VM)|sys.Cloneflags)
   208  	case runtime.GOARCH == "s390x":
   209  		r1, _, err1 = RawSyscall6(SYS_CLONE, 0, uintptr(SIGCHLD)|sys.Cloneflags, 0, 0, 0, 0)
   210  	default:
   211  		r1, _, err1 = RawSyscall6(SYS_CLONE, uintptr(SIGCHLD)|sys.Cloneflags, 0, 0, 0, 0, 0)
   212  	}
   213  	if err1 != 0 || r1 != 0 {
   214  		// If we're in the parent, we must return immediately
   215  		// so we're not in the same stack frame as the child.
   216  		// This can at most use the return PC, which the child
   217  		// will not modify, and the results of
   218  		// rawVforkSyscall, which must have been written after
   219  		// the child was replaced.
   220  		return
   221  	}
   222  
   223  	// Fork succeeded, now in child.
   224  
   225  	runtime_AfterForkInChild()
   226  
   227  	// Enable the "keep capabilities" flag to set ambient capabilities later.
   228  	if len(sys.AmbientCaps) > 0 {
   229  		_, _, err1 = RawSyscall6(SYS_PRCTL, PR_SET_KEEPCAPS, 1, 0, 0, 0, 0)
   230  		if err1 != 0 {
   231  			goto childerror
   232  		}
   233  	}
   234  
   235  	// Wait for User ID/Group ID mappings to be written.
   236  	if sys.UidMappings != nil || sys.GidMappings != nil {
   237  		if _, _, err1 = RawSyscall(SYS_CLOSE, uintptr(p[1]), 0, 0); err1 != 0 {
   238  			goto childerror
   239  		}
   240  		r1, _, err1 = RawSyscall(SYS_READ, uintptr(p[0]), uintptr(unsafe.Pointer(&err2)), unsafe.Sizeof(err2))
   241  		if err1 != 0 {
   242  			goto childerror
   243  		}
   244  		if r1 != unsafe.Sizeof(err2) {
   245  			err1 = EINVAL
   246  			goto childerror
   247  		}
   248  		if err2 != 0 {
   249  			err1 = err2
   250  			goto childerror
   251  		}
   252  	}
   253  
   254  	// Session ID
   255  	if sys.Setsid {
   256  		_, _, err1 = RawSyscall(SYS_SETSID, 0, 0, 0)
   257  		if err1 != 0 {
   258  			goto childerror
   259  		}
   260  	}
   261  
   262  	// Set process group
   263  	if sys.Setpgid || sys.Foreground {
   264  		// Place child in process group.
   265  		_, _, err1 = RawSyscall(SYS_SETPGID, 0, uintptr(sys.Pgid), 0)
   266  		if err1 != 0 {
   267  			goto childerror
   268  		}
   269  	}
   270  
   271  	if sys.Foreground {
   272  		pgrp := int32(sys.Pgid)
   273  		if pgrp == 0 {
   274  			r1, _ = rawSyscallNoError(SYS_GETPID, 0, 0, 0)
   275  
   276  			pgrp = int32(r1)
   277  		}
   278  
   279  		// Place process group in foreground.
   280  		_, _, err1 = RawSyscall(SYS_IOCTL, uintptr(sys.Ctty), uintptr(TIOCSPGRP), uintptr(unsafe.Pointer(&pgrp)))
   281  		if err1 != 0 {
   282  			goto childerror
   283  		}
   284  	}
   285  
   286  	// Unshare
   287  	if sys.Unshareflags != 0 {
   288  		_, _, err1 = RawSyscall(SYS_UNSHARE, sys.Unshareflags, 0, 0)
   289  		if err1 != 0 {
   290  			goto childerror
   291  		}
   292  
   293  		if sys.Unshareflags&CLONE_NEWUSER != 0 && sys.GidMappings != nil {
   294  			dirfd := int(_AT_FDCWD)
   295  			if fd1, _, err1 = RawSyscall6(SYS_OPENAT, uintptr(dirfd), uintptr(unsafe.Pointer(&psetgroups[0])), uintptr(O_WRONLY), 0, 0, 0); err1 != 0 {
   296  				goto childerror
   297  			}
   298  			r1, _, err1 = RawSyscall(SYS_WRITE, uintptr(fd1), uintptr(unsafe.Pointer(&setgroups[0])), uintptr(len(setgroups)))
   299  			if err1 != 0 {
   300  				goto childerror
   301  			}
   302  			if _, _, err1 = RawSyscall(SYS_CLOSE, uintptr(fd1), 0, 0); err1 != 0 {
   303  				goto childerror
   304  			}
   305  
   306  			if fd1, _, err1 = RawSyscall6(SYS_OPENAT, uintptr(dirfd), uintptr(unsafe.Pointer(&pgid[0])), uintptr(O_WRONLY), 0, 0, 0); err1 != 0 {
   307  				goto childerror
   308  			}
   309  			r1, _, err1 = RawSyscall(SYS_WRITE, uintptr(fd1), uintptr(unsafe.Pointer(&gidmap[0])), uintptr(len(gidmap)))
   310  			if err1 != 0 {
   311  				goto childerror
   312  			}
   313  			if _, _, err1 = RawSyscall(SYS_CLOSE, uintptr(fd1), 0, 0); err1 != 0 {
   314  				goto childerror
   315  			}
   316  		}
   317  
   318  		if sys.Unshareflags&CLONE_NEWUSER != 0 && sys.UidMappings != nil {
   319  			dirfd := int(_AT_FDCWD)
   320  			if fd1, _, err1 = RawSyscall6(SYS_OPENAT, uintptr(dirfd), uintptr(unsafe.Pointer(&puid[0])), uintptr(O_WRONLY), 0, 0, 0); err1 != 0 {
   321  				goto childerror
   322  			}
   323  			r1, _, err1 = RawSyscall(SYS_WRITE, uintptr(fd1), uintptr(unsafe.Pointer(&uidmap[0])), uintptr(len(uidmap)))
   324  			if err1 != 0 {
   325  				goto childerror
   326  			}
   327  			if _, _, err1 = RawSyscall(SYS_CLOSE, uintptr(fd1), 0, 0); err1 != 0 {
   328  				goto childerror
   329  			}
   330  		}
   331  
   332  		// The unshare system call in Linux doesn't unshare mount points
   333  		// mounted with --shared. Systemd mounts / with --shared. For a
   334  		// long discussion of the pros and cons of this see debian bug 739593.
   335  		// The Go model of unsharing is more like Plan 9, where you ask
   336  		// to unshare and the namespaces are unconditionally unshared.
   337  		// To make this model work we must further mark / as MS_PRIVATE.
   338  		// This is what the standard unshare command does.
   339  		if sys.Unshareflags&CLONE_NEWNS == CLONE_NEWNS {
   340  			_, _, err1 = RawSyscall6(SYS_MOUNT, uintptr(unsafe.Pointer(&none[0])), uintptr(unsafe.Pointer(&slash[0])), 0, MS_REC|MS_PRIVATE, 0, 0)
   341  			if err1 != 0 {
   342  				goto childerror
   343  			}
   344  		}
   345  	}
   346  
   347  	// Chroot
   348  	if chroot != nil {
   349  		_, _, err1 = RawSyscall(SYS_CHROOT, uintptr(unsafe.Pointer(chroot)), 0, 0)
   350  		if err1 != 0 {
   351  			goto childerror
   352  		}
   353  	}
   354  
   355  	// User and groups
   356  	if cred := sys.Credential; cred != nil {
   357  		ngroups := uintptr(len(cred.Groups))
   358  		groups := uintptr(0)
   359  		if ngroups > 0 {
   360  			groups = uintptr(unsafe.Pointer(&cred.Groups[0]))
   361  		}
   362  		if !(sys.GidMappings != nil && !sys.GidMappingsEnableSetgroups && ngroups == 0) && !cred.NoSetGroups {
   363  			_, _, err1 = RawSyscall(_SYS_setgroups, ngroups, groups, 0)
   364  			if err1 != 0 {
   365  				goto childerror
   366  			}
   367  		}
   368  		_, _, err1 = RawSyscall(sys_SETGID, uintptr(cred.Gid), 0, 0)
   369  		if err1 != 0 {
   370  			goto childerror
   371  		}
   372  		_, _, err1 = RawSyscall(sys_SETUID, uintptr(cred.Uid), 0, 0)
   373  		if err1 != 0 {
   374  			goto childerror
   375  		}
   376  	}
   377  
   378  	if len(sys.AmbientCaps) != 0 {
   379  		// Ambient capabilities were added in the 4.3 kernel,
   380  		// so it is safe to always use _LINUX_CAPABILITY_VERSION_3.
   381  		caps.hdr.version = _LINUX_CAPABILITY_VERSION_3
   382  
   383  		if _, _, err1 := RawSyscall(SYS_CAPGET, uintptr(unsafe.Pointer(&caps.hdr)), uintptr(unsafe.Pointer(&caps.data[0])), 0); err1 != 0 {
   384  			goto childerror
   385  		}
   386  
   387  		for _, c := range sys.AmbientCaps {
   388  			// Add the c capability to the permitted and inheritable capability mask,
   389  			// otherwise we will not be able to add it to the ambient capability mask.
   390  			caps.data[capToIndex(c)].permitted |= capToMask(c)
   391  			caps.data[capToIndex(c)].inheritable |= capToMask(c)
   392  		}
   393  
   394  		if _, _, err1 := RawSyscall(SYS_CAPSET, uintptr(unsafe.Pointer(&caps.hdr)), uintptr(unsafe.Pointer(&caps.data[0])), 0); err1 != 0 {
   395  			goto childerror
   396  		}
   397  
   398  		for _, c := range sys.AmbientCaps {
   399  			_, _, err1 = RawSyscall6(SYS_PRCTL, PR_CAP_AMBIENT, uintptr(PR_CAP_AMBIENT_RAISE), c, 0, 0, 0)
   400  			if err1 != 0 {
   401  				goto childerror
   402  			}
   403  		}
   404  	}
   405  
   406  	// Chdir
   407  	if dir != nil {
   408  		_, _, err1 = RawSyscall(SYS_CHDIR, uintptr(unsafe.Pointer(dir)), 0, 0)
   409  		if err1 != 0 {
   410  			goto childerror
   411  		}
   412  	}
   413  
   414  	// Parent death signal
   415  	if sys.Pdeathsig != 0 {
   416  		_, _, err1 = RawSyscall6(SYS_PRCTL, PR_SET_PDEATHSIG, uintptr(sys.Pdeathsig), 0, 0, 0, 0)
   417  		if err1 != 0 {
   418  			goto childerror
   419  		}
   420  
   421  		// Signal self if parent is already dead. This might cause a
   422  		// duplicate signal in rare cases, but it won't matter when
   423  		// using SIGKILL.
   424  		r1, _ = rawSyscallNoError(SYS_GETPPID, 0, 0, 0)
   425  		if r1 != ppid {
   426  			pid, _ := rawSyscallNoError(SYS_GETPID, 0, 0, 0)
   427  			_, _, err1 := RawSyscall(SYS_KILL, pid, uintptr(sys.Pdeathsig), 0)
   428  			if err1 != 0 {
   429  				goto childerror
   430  			}
   431  		}
   432  	}
   433  
   434  	// Pass 1: look for fd[i] < i and move those up above len(fd)
   435  	// so that pass 2 won't stomp on an fd it needs later.
   436  	if pipe < nextfd {
   437  		_, _, err1 = RawSyscall(_SYS_dup, uintptr(pipe), uintptr(nextfd), 0)
   438  		if err1 != 0 {
   439  			goto childerror
   440  		}
   441  		RawSyscall(fcntl64Syscall, uintptr(nextfd), F_SETFD, FD_CLOEXEC)
   442  		pipe = nextfd
   443  		nextfd++
   444  	}
   445  	for i = 0; i < len(fd); i++ {
   446  		if fd[i] >= 0 && fd[i] < int(i) {
   447  			if nextfd == pipe { // don't stomp on pipe
   448  				nextfd++
   449  			}
   450  			_, _, err1 = RawSyscall(_SYS_dup, uintptr(fd[i]), uintptr(nextfd), 0)
   451  			if err1 != 0 {
   452  				goto childerror
   453  			}
   454  			RawSyscall(fcntl64Syscall, uintptr(nextfd), F_SETFD, FD_CLOEXEC)
   455  			fd[i] = nextfd
   456  			nextfd++
   457  		}
   458  	}
   459  
   460  	// Pass 2: dup fd[i] down onto i.
   461  	for i = 0; i < len(fd); i++ {
   462  		if fd[i] == -1 {
   463  			RawSyscall(SYS_CLOSE, uintptr(i), 0, 0)
   464  			continue
   465  		}
   466  		if fd[i] == int(i) {
   467  			// dup2(i, i) won't clear close-on-exec flag on Linux,
   468  			// probably not elsewhere either.
   469  			_, _, err1 = RawSyscall(fcntl64Syscall, uintptr(fd[i]), F_SETFD, 0)
   470  			if err1 != 0 {
   471  				goto childerror
   472  			}
   473  			continue
   474  		}
   475  		// The new fd is created NOT close-on-exec,
   476  		// which is exactly what we want.
   477  		_, _, err1 = RawSyscall(_SYS_dup, uintptr(fd[i]), uintptr(i), 0)
   478  		if err1 != 0 {
   479  			goto childerror
   480  		}
   481  	}
   482  
   483  	// By convention, we don't close-on-exec the fds we are
   484  	// started with, so if len(fd) < 3, close 0, 1, 2 as needed.
   485  	// Programs that know they inherit fds >= 3 will need
   486  	// to set them close-on-exec.
   487  	for i = len(fd); i < 3; i++ {
   488  		RawSyscall(SYS_CLOSE, uintptr(i), 0, 0)
   489  	}
   490  
   491  	// Detach fd 0 from tty
   492  	if sys.Noctty {
   493  		_, _, err1 = RawSyscall(SYS_IOCTL, 0, uintptr(TIOCNOTTY), 0)
   494  		if err1 != 0 {
   495  			goto childerror
   496  		}
   497  	}
   498  
   499  	// Set the controlling TTY to Ctty
   500  	if sys.Setctty {
   501  		_, _, err1 = RawSyscall(SYS_IOCTL, uintptr(sys.Ctty), uintptr(TIOCSCTTY), 1)
   502  		if err1 != 0 {
   503  			goto childerror
   504  		}
   505  	}
   506  
   507  	// Enable tracing if requested.
   508  	// Do this right before exec so that we don't unnecessarily trace the runtime
   509  	// setting up after the fork. See issue #21428.
   510  	if sys.Ptrace {
   511  		_, _, err1 = RawSyscall(SYS_PTRACE, uintptr(PTRACE_TRACEME), 0, 0)
   512  		if err1 != 0 {
   513  			goto childerror
   514  		}
   515  	}
   516  
   517  	// Time to exec.
   518  	_, _, err1 = RawSyscall(SYS_EXECVE,
   519  		uintptr(unsafe.Pointer(argv0)),
   520  		uintptr(unsafe.Pointer(&argv[0])),
   521  		uintptr(unsafe.Pointer(&envv[0])))
   522  
   523  childerror:
   524  	// send error code on pipe
   525  	RawSyscall(SYS_WRITE, uintptr(pipe), uintptr(unsafe.Pointer(&err1)), unsafe.Sizeof(err1))
   526  	for {
   527  		RawSyscall(SYS_EXIT, 253, 0, 0)
   528  	}
   529  }
   530  
   531  // Try to open a pipe with O_CLOEXEC set on both file descriptors.
   532  func forkExecPipe(p []int) (err error) {
   533  	err = Pipe2(p, O_CLOEXEC)
   534  	// pipe2 was added in 2.6.27 and our minimum requirement is 2.6.23, so it
   535  	// might not be implemented.
   536  	if err == ENOSYS {
   537  		if err = Pipe(p); err != nil {
   538  			return
   539  		}
   540  		if _, err = fcntl(p[0], F_SETFD, FD_CLOEXEC); err != nil {
   541  			return
   542  		}
   543  		_, err = fcntl(p[1], F_SETFD, FD_CLOEXEC)
   544  	}
   545  	return
   546  }
   547  
   548  func formatIDMappings(idMap []SysProcIDMap) []byte {
   549  	var data []byte
   550  	for _, im := range idMap {
   551  		data = append(data, []byte(itoa(im.ContainerID)+" "+itoa(im.HostID)+" "+itoa(im.Size)+"\n")...)
   552  	}
   553  	return data
   554  }
   555  
   556  // writeIDMappings writes the user namespace User ID or Group ID mappings to the specified path.
   557  func writeIDMappings(path string, idMap []SysProcIDMap) error {
   558  	fd, err := Open(path, O_RDWR, 0)
   559  	if err != nil {
   560  		return err
   561  	}
   562  
   563  	if _, err := Write(fd, formatIDMappings(idMap)); err != nil {
   564  		Close(fd)
   565  		return err
   566  	}
   567  
   568  	if err := Close(fd); err != nil {
   569  		return err
   570  	}
   571  
   572  	return nil
   573  }
   574  
   575  // writeSetgroups writes to /proc/PID/setgroups "deny" if enable is false
   576  // and "allow" if enable is true.
   577  // This is needed since kernel 3.19, because you can't write gid_map without
   578  // disabling setgroups() system call.
   579  func writeSetgroups(pid int, enable bool) error {
   580  	sgf := "/proc/" + itoa(pid) + "/setgroups"
   581  	fd, err := Open(sgf, O_RDWR, 0)
   582  	if err != nil {
   583  		return err
   584  	}
   585  
   586  	var data []byte
   587  	if enable {
   588  		data = []byte("allow")
   589  	} else {
   590  		data = []byte("deny")
   591  	}
   592  
   593  	if _, err := Write(fd, data); err != nil {
   594  		Close(fd)
   595  		return err
   596  	}
   597  
   598  	return Close(fd)
   599  }
   600  
   601  // writeUidGidMappings writes User ID and Group ID mappings for user namespaces
   602  // for a process and it is called from the parent process.
   603  func writeUidGidMappings(pid int, sys *SysProcAttr) error {
   604  	if sys.UidMappings != nil {
   605  		uidf := "/proc/" + itoa(pid) + "/uid_map"
   606  		if err := writeIDMappings(uidf, sys.UidMappings); err != nil {
   607  			return err
   608  		}
   609  	}
   610  
   611  	if sys.GidMappings != nil {
   612  		// If the kernel is too old to support /proc/PID/setgroups, writeSetGroups will return ENOENT; this is OK.
   613  		if err := writeSetgroups(pid, sys.GidMappingsEnableSetgroups); err != nil && err != ENOENT {
   614  			return err
   615  		}
   616  		gidf := "/proc/" + itoa(pid) + "/gid_map"
   617  		if err := writeIDMappings(gidf, sys.GidMappings); err != nil {
   618  			return err
   619  		}
   620  	}
   621  
   622  	return nil
   623  }
   624
View as plain text