go/src/syscall/exec_linux_test.go

// Copyright 2015 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// +build linux

package syscall_test

import (
	"io/ioutil"
	"os"
	"os/exec"
	"regexp"
	"strconv"
	"strings"
	"syscall"
	"testing"
)

func whoamiCmd(t *testing.T, uid, gid int, setgroups bool) *exec.Cmd {
	if _, err := os.Stat("/proc/self/ns/user"); err != nil {
		if os.IsNotExist(err) {
			t.Skip("kernel doesn't support user namespaces")
		}
		t.Fatalf("Failed to stat /proc/self/ns/user: %v", err)
	}
	cmd := exec.Command("whoami")
	cmd.SysProcAttr = &syscall.SysProcAttr{
		Cloneflags: syscall.CLONE_NEWUSER,
		UidMappings: []syscall.SysProcIDMap{
			{ContainerID: 0, HostID: uid, Size: 1},
		},
		GidMappings: []syscall.SysProcIDMap{
			{ContainerID: 0, HostID: gid, Size: 1},
		},
		GidMappingsEnableSetgroups: setgroups,
	}
	return cmd
}

func testNEWUSERRemap(t *testing.T, uid, gid int, setgroups bool) {
	cmd := whoamiCmd(t, uid, gid, setgroups)
	out, err := cmd.CombinedOutput()
	if err != nil {
		// On some systems, there is a sysctl setting.
		if os.IsPermission(err) && os.Getuid() != 0 {
			data, errRead := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")
			if errRead == nil && data[0] == '0' {
				t.Skip("kernel prohibits user namespace in unprivileged process")
			}
		}

		t.Fatalf("Cmd failed with err %v, output: %s", err, out)
	}
	sout := strings.TrimSpace(string(out))
	want := "root"
	if sout != want {
		t.Fatalf("whoami = %q; want %q", out, want)
	}
}

func TestCloneNEWUSERAndRemapRootDisableSetgroups(t *testing.T) {
	if os.Getuid() != 0 {
		t.Skip("skipping root only test")
	}
	testNEWUSERRemap(t, 0, 0, false)
}

func TestCloneNEWUSERAndRemapRootEnableSetgroups(t *testing.T) {
	if os.Getuid() != 0 {
		t.Skip("skipping root only test")
	}
	testNEWUSERRemap(t, 0, 0, false)
}

// kernelVersion returns the major and minor versions of the Linux
// kernel version.  It calls t.Skip if it can't figure it out.
func kernelVersion(t *testing.T) (int, int) {
	bytes, err := ioutil.ReadFile("/proc/version")
	if err != nil {
		t.Skipf("can't get kernel version: %v", err)
	}
	matches := regexp.MustCompile("([0-9]+).([0-9]+)").FindSubmatch(bytes)
	if len(matches) < 3 {
		t.Skipf("can't get kernel version from %s", bytes)
	}
	major, _ := strconv.Atoi(string(matches[1]))
	minor, _ := strconv.Atoi(string(matches[2]))
	return major, minor
}

func TestCloneNEWUSERAndRemapNoRootDisableSetgroups(t *testing.T) {
	if os.Getuid() == 0 {
		t.Skip("skipping unprivileged user only test")
	}
	testNEWUSERRemap(t, os.Getuid(), os.Getgid(), false)
}

func TestCloneNEWUSERAndRemapNoRootSetgroupsEnableSetgroups(t *testing.T) {
	if os.Getuid() == 0 {
		t.Skip("skipping unprivileged user only test")
	}
	cmd := whoamiCmd(t, os.Getuid(), os.Getgid(), true)
	err := cmd.Run()
	if err == nil {
		t.Skip("probably old kernel without security fix")
	}
	if !os.IsPermission(err) {
		t.Fatalf("Unprivileged gid_map rewriting with GidMappingsEnableSetgroups must fail")
	}
}
syscall: add GidMappingsEnableSetgroups to Linux SysProcAttr Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to address a security issue. The upshot of the 3.19 changes is that in order to update the 'gid_maps' file, use of the setgroups() system call in this user namespace must first be disabled by writing "deny" to one of the /proc/PID/setgroups files for this namespace. Also added tests for remapping uid_map and gid_map inside new user namespace. Fixes #10626 Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7 Reviewed-on: https://go-review.googlesource.com/10670 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> 2015-06-03 11:50:39 -06:00			`// Copyright 2015 The Go Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

			`// +build linux`

			`package syscall_test`

			`import (`
syscall: skip TestCloneNEWUSERAndRemapNoRootDisableSetgroups before 3.19 The test fails on Ubuntu Trusty for some reason, probably because of some set of kernel patches. Change-Id: I52f7ca50b96fea5725817c9e9198860d419f9313 Reviewed-on: https://go-review.googlesource.com/11055 Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com> 2015-06-13 14:46:10 -06:00			`"io/ioutil"`
syscall: add GidMappingsEnableSetgroups to Linux SysProcAttr Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to address a security issue. The upshot of the 3.19 changes is that in order to update the 'gid_maps' file, use of the setgroups() system call in this user namespace must first be disabled by writing "deny" to one of the /proc/PID/setgroups files for this namespace. Also added tests for remapping uid_map and gid_map inside new user namespace. Fixes #10626 Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7 Reviewed-on: https://go-review.googlesource.com/10670 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> 2015-06-03 11:50:39 -06:00			`"os"`
			`"os/exec"`
syscall: skip TestCloneNEWUSERAndRemapNoRootDisableSetgroups before 3.19 The test fails on Ubuntu Trusty for some reason, probably because of some set of kernel patches. Change-Id: I52f7ca50b96fea5725817c9e9198860d419f9313 Reviewed-on: https://go-review.googlesource.com/11055 Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com> 2015-06-13 14:46:10 -06:00			`"regexp"`
			`"strconv"`
syscall: add GidMappingsEnableSetgroups to Linux SysProcAttr Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to address a security issue. The upshot of the 3.19 changes is that in order to update the 'gid_maps' file, use of the setgroups() system call in this user namespace must first be disabled by writing "deny" to one of the /proc/PID/setgroups files for this namespace. Also added tests for remapping uid_map and gid_map inside new user namespace. Fixes #10626 Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7 Reviewed-on: https://go-review.googlesource.com/10670 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> 2015-06-03 11:50:39 -06:00			`"strings"`
			`"syscall"`
			`"testing"`
			`)`

syscall: fix TestCloneNEWUSERAndRemapNoRootDisableSetgroups the right way The problem was not the kernel version as I thought before, it was that the test used the same number for both the UID and the GID. Thanks to Chris Siebenmann for debugging this. Fixes #11220. Change-Id: Ib5077e182497155e84044683209590ee0f7c9dde Reviewed-on: https://go-review.googlesource.com/11124 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Austin Clements <austin@google.com> 2015-06-15 12:35:56 -06:00			`func whoamiCmd(t testing.T, uid, gid int, setgroups bool) exec.Cmd {`
syscall: add GidMappingsEnableSetgroups to Linux SysProcAttr Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to address a security issue. The upshot of the 3.19 changes is that in order to update the 'gid_maps' file, use of the setgroups() system call in this user namespace must first be disabled by writing "deny" to one of the /proc/PID/setgroups files for this namespace. Also added tests for remapping uid_map and gid_map inside new user namespace. Fixes #10626 Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7 Reviewed-on: https://go-review.googlesource.com/10670 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> 2015-06-03 11:50:39 -06:00			`if _, err := os.Stat("/proc/self/ns/user"); err != nil {`
			`if os.IsNotExist(err) {`
			`t.Skip("kernel doesn't support user namespaces")`
			`}`
			`t.Fatalf("Failed to stat /proc/self/ns/user: %v", err)`
			`}`
			`cmd := exec.Command("whoami")`
			`cmd.SysProcAttr = &syscall.SysProcAttr{`
			`Cloneflags: syscall.CLONE_NEWUSER,`
			`UidMappings: []syscall.SysProcIDMap{`
			`{ContainerID: 0, HostID: uid, Size: 1},`
			`},`
			`GidMappings: []syscall.SysProcIDMap{`
syscall: fix TestCloneNEWUSERAndRemapNoRootDisableSetgroups the right way The problem was not the kernel version as I thought before, it was that the test used the same number for both the UID and the GID. Thanks to Chris Siebenmann for debugging this. Fixes #11220. Change-Id: Ib5077e182497155e84044683209590ee0f7c9dde Reviewed-on: https://go-review.googlesource.com/11124 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Austin Clements <austin@google.com> 2015-06-15 12:35:56 -06:00			`{ContainerID: 0, HostID: gid, Size: 1},`
syscall: add GidMappingsEnableSetgroups to Linux SysProcAttr Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to address a security issue. The upshot of the 3.19 changes is that in order to update the 'gid_maps' file, use of the setgroups() system call in this user namespace must first be disabled by writing "deny" to one of the /proc/PID/setgroups files for this namespace. Also added tests for remapping uid_map and gid_map inside new user namespace. Fixes #10626 Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7 Reviewed-on: https://go-review.googlesource.com/10670 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> 2015-06-03 11:50:39 -06:00			`},`
			`GidMappingsEnableSetgroups: setgroups,`
			`}`
			`return cmd`
			`}`

syscall: fix TestCloneNEWUSERAndRemapNoRootDisableSetgroups the right way The problem was not the kernel version as I thought before, it was that the test used the same number for both the UID and the GID. Thanks to Chris Siebenmann for debugging this. Fixes #11220. Change-Id: Ib5077e182497155e84044683209590ee0f7c9dde Reviewed-on: https://go-review.googlesource.com/11124 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Austin Clements <austin@google.com> 2015-06-15 12:35:56 -06:00			`func testNEWUSERRemap(t *testing.T, uid, gid int, setgroups bool) {`
			`cmd := whoamiCmd(t, uid, gid, setgroups)`
syscall: add GidMappingsEnableSetgroups to Linux SysProcAttr Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to address a security issue. The upshot of the 3.19 changes is that in order to update the 'gid_maps' file, use of the setgroups() system call in this user namespace must first be disabled by writing "deny" to one of the /proc/PID/setgroups files for this namespace. Also added tests for remapping uid_map and gid_map inside new user namespace. Fixes #10626 Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7 Reviewed-on: https://go-review.googlesource.com/10670 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> 2015-06-03 11:50:39 -06:00			`out, err := cmd.CombinedOutput()`
			`if err != nil {`
syscall: skip non-root user namespace test if kernel forbids Some Linux kernels apparently have a sysctl that prohibits nonprivileged processes from creating user namespaces. If we see a failure for that reason, skip the test. Fixes #11261. Change-Id: I82dfcaf475eea4eaa387941373ce7165df4848ad Reviewed-on: https://go-review.googlesource.com/11269 Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com> 2015-06-19 14:48:06 -06:00			`// On some systems, there is a sysctl setting.`
			`if os.IsPermission(err) && os.Getuid() != 0 {`
			`data, errRead := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")`
			`if errRead == nil && data[0] == '0' {`
			`t.Skip("kernel prohibits user namespace in unprivileged process")`
			`}`
			`}`

syscall: add GidMappingsEnableSetgroups to Linux SysProcAttr Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to address a security issue. The upshot of the 3.19 changes is that in order to update the 'gid_maps' file, use of the setgroups() system call in this user namespace must first be disabled by writing "deny" to one of the /proc/PID/setgroups files for this namespace. Also added tests for remapping uid_map and gid_map inside new user namespace. Fixes #10626 Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7 Reviewed-on: https://go-review.googlesource.com/10670 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> 2015-06-03 11:50:39 -06:00			`t.Fatalf("Cmd failed with err %v, output: %s", err, out)`
			`}`
			`sout := strings.TrimSpace(string(out))`
			`want := "root"`
			`if sout != want {`
			`t.Fatalf("whoami = %q; want %q", out, want)`
			`}`
			`}`

			`func TestCloneNEWUSERAndRemapRootDisableSetgroups(t *testing.T) {`
			`if os.Getuid() != 0 {`
			`t.Skip("skipping root only test")`
			`}`
syscall: fix TestCloneNEWUSERAndRemapNoRootDisableSetgroups the right way The problem was not the kernel version as I thought before, it was that the test used the same number for both the UID and the GID. Thanks to Chris Siebenmann for debugging this. Fixes #11220. Change-Id: Ib5077e182497155e84044683209590ee0f7c9dde Reviewed-on: https://go-review.googlesource.com/11124 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Austin Clements <austin@google.com> 2015-06-15 12:35:56 -06:00			`testNEWUSERRemap(t, 0, 0, false)`
syscall: add GidMappingsEnableSetgroups to Linux SysProcAttr Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to address a security issue. The upshot of the 3.19 changes is that in order to update the 'gid_maps' file, use of the setgroups() system call in this user namespace must first be disabled by writing "deny" to one of the /proc/PID/setgroups files for this namespace. Also added tests for remapping uid_map and gid_map inside new user namespace. Fixes #10626 Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7 Reviewed-on: https://go-review.googlesource.com/10670 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> 2015-06-03 11:50:39 -06:00			`}`

			`func TestCloneNEWUSERAndRemapRootEnableSetgroups(t *testing.T) {`
			`if os.Getuid() != 0 {`
			`t.Skip("skipping root only test")`
			`}`
syscall: fix TestCloneNEWUSERAndRemapNoRootDisableSetgroups the right way The problem was not the kernel version as I thought before, it was that the test used the same number for both the UID and the GID. Thanks to Chris Siebenmann for debugging this. Fixes #11220. Change-Id: Ib5077e182497155e84044683209590ee0f7c9dde Reviewed-on: https://go-review.googlesource.com/11124 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Austin Clements <austin@google.com> 2015-06-15 12:35:56 -06:00			`testNEWUSERRemap(t, 0, 0, false)`
syscall: add GidMappingsEnableSetgroups to Linux SysProcAttr Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to address a security issue. The upshot of the 3.19 changes is that in order to update the 'gid_maps' file, use of the setgroups() system call in this user namespace must first be disabled by writing "deny" to one of the /proc/PID/setgroups files for this namespace. Also added tests for remapping uid_map and gid_map inside new user namespace. Fixes #10626 Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7 Reviewed-on: https://go-review.googlesource.com/10670 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> 2015-06-03 11:50:39 -06:00			`}`

syscall: skip TestCloneNEWUSERAndRemapNoRootDisableSetgroups before 3.19 The test fails on Ubuntu Trusty for some reason, probably because of some set of kernel patches. Change-Id: I52f7ca50b96fea5725817c9e9198860d419f9313 Reviewed-on: https://go-review.googlesource.com/11055 Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com> 2015-06-13 14:46:10 -06:00			`// kernelVersion returns the major and minor versions of the Linux`
			`// kernel version. It calls t.Skip if it can't figure it out.`
			`func kernelVersion(t *testing.T) (int, int) {`
			`bytes, err := ioutil.ReadFile("/proc/version")`
			`if err != nil {`
			`t.Skipf("can't get kernel version: %v", err)`
			`}`
			`matches := regexp.MustCompile("([0-9]+).([0-9]+)").FindSubmatch(bytes)`
			`if len(matches) < 3 {`
			`t.Skipf("can't get kernel version from %s", bytes)`
			`}`
			`major, _ := strconv.Atoi(string(matches[1]))`
			`minor, _ := strconv.Atoi(string(matches[2]))`
			`return major, minor`
			`}`

syscall: add GidMappingsEnableSetgroups to Linux SysProcAttr Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to address a security issue. The upshot of the 3.19 changes is that in order to update the 'gid_maps' file, use of the setgroups() system call in this user namespace must first be disabled by writing "deny" to one of the /proc/PID/setgroups files for this namespace. Also added tests for remapping uid_map and gid_map inside new user namespace. Fixes #10626 Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7 Reviewed-on: https://go-review.googlesource.com/10670 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> 2015-06-03 11:50:39 -06:00			`func TestCloneNEWUSERAndRemapNoRootDisableSetgroups(t *testing.T) {`
			`if os.Getuid() == 0 {`
			`t.Skip("skipping unprivileged user only test")`
			`}`
syscall: fix TestCloneNEWUSERAndRemapNoRootDisableSetgroups the right way The problem was not the kernel version as I thought before, it was that the test used the same number for both the UID and the GID. Thanks to Chris Siebenmann for debugging this. Fixes #11220. Change-Id: Ib5077e182497155e84044683209590ee0f7c9dde Reviewed-on: https://go-review.googlesource.com/11124 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Austin Clements <austin@google.com> 2015-06-15 12:35:56 -06:00			`testNEWUSERRemap(t, os.Getuid(), os.Getgid(), false)`
syscall: add GidMappingsEnableSetgroups to Linux SysProcAttr Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to address a security issue. The upshot of the 3.19 changes is that in order to update the 'gid_maps' file, use of the setgroups() system call in this user namespace must first be disabled by writing "deny" to one of the /proc/PID/setgroups files for this namespace. Also added tests for remapping uid_map and gid_map inside new user namespace. Fixes #10626 Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7 Reviewed-on: https://go-review.googlesource.com/10670 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> 2015-06-03 11:50:39 -06:00			`}`

			`func TestCloneNEWUSERAndRemapNoRootSetgroupsEnableSetgroups(t *testing.T) {`
			`if os.Getuid() == 0 {`
			`t.Skip("skipping unprivileged user only test")`
			`}`
syscall: fix TestCloneNEWUSERAndRemapNoRootDisableSetgroups the right way The problem was not the kernel version as I thought before, it was that the test used the same number for both the UID and the GID. Thanks to Chris Siebenmann for debugging this. Fixes #11220. Change-Id: Ib5077e182497155e84044683209590ee0f7c9dde Reviewed-on: https://go-review.googlesource.com/11124 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Austin Clements <austin@google.com> 2015-06-15 12:35:56 -06:00			`cmd := whoamiCmd(t, os.Getuid(), os.Getgid(), true)`
syscall: add GidMappingsEnableSetgroups to Linux SysProcAttr Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to address a security issue. The upshot of the 3.19 changes is that in order to update the 'gid_maps' file, use of the setgroups() system call in this user namespace must first be disabled by writing "deny" to one of the /proc/PID/setgroups files for this namespace. Also added tests for remapping uid_map and gid_map inside new user namespace. Fixes #10626 Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7 Reviewed-on: https://go-review.googlesource.com/10670 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> 2015-06-03 11:50:39 -06:00			`err := cmd.Run()`
			`if err == nil {`
			`t.Skip("probably old kernel without security fix")`
			`}`
syscall: skip non-root user namespace test if kernel forbids Some Linux kernels apparently have a sysctl that prohibits nonprivileged processes from creating user namespaces. If we see a failure for that reason, skip the test. Fixes #11261. Change-Id: I82dfcaf475eea4eaa387941373ce7165df4848ad Reviewed-on: https://go-review.googlesource.com/11269 Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com> 2015-06-19 14:48:06 -06:00			`if !os.IsPermission(err) {`
syscall: add GidMappingsEnableSetgroups to Linux SysProcAttr Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to address a security issue. The upshot of the 3.19 changes is that in order to update the 'gid_maps' file, use of the setgroups() system call in this user namespace must first be disabled by writing "deny" to one of the /proc/PID/setgroups files for this namespace. Also added tests for remapping uid_map and gid_map inside new user namespace. Fixes #10626 Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7 Reviewed-on: https://go-review.googlesource.com/10670 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> 2015-06-03 11:50:39 -06:00			`t.Fatalf("Unprivileged gid_map rewriting with GidMappingsEnableSetgroups must fail")`
			`}`
			`}`