This patch adds Unshare flags to SysProcAttr for Linux systems.
Fixes#1954
Change-Id: Id819c3f92b1474e5a06dd8d55f89d74a43eb770c
Reviewed-on: https://go-review.googlesource.com/23233
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Fixes#14693
Change-Id: Id0a6a80b4c37c0b0f1c2755667b7233ed8964e40
Reviewed-on: https://go-review.googlesource.com/20342
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
The kernel rejects attempts to create user namespaces when in a chroot.
Change-Id: I6548302732c8f5be52f4167cd7233aea16839ad8
Reviewed-on: https://go-review.googlesource.com/17214
Reviewed-by: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Change-Id: If0d00999c58f7421e4da06e1822ba5abccf72cac
Reviewed-on: https://go-review.googlesource.com/14111
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
This is basic validation and should be performed early
Fixes#12412
Change-Id: I903f7eeafdc22376704985a53d649698cf9d8ef4
Reviewed-on: https://go-review.googlesource.com/14110
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Setgroups with zero-length groups is no-op for changing groups and
supposed to be used only for determining curent groups length. Also
because we deny setgroups by default if use GidMappings we have
unnecessary error from that no-op syscall.
Change-Id: I8f74fbca9190a3dcbbef1d886c518e01fa05eb62
Reviewed-on: https://go-review.googlesource.com/13938
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Some Linux kernels apparently have a sysctl that prohibits
nonprivileged processes from creating user namespaces. If we see a
failure for that reason, skip the test.
Fixes#11261.
Change-Id: I82dfcaf475eea4eaa387941373ce7165df4848ad
Reviewed-on: https://go-review.googlesource.com/11269
Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com>
The problem was not the kernel version as I thought before, it was
that the test used the same number for both the UID and the GID.
Thanks to Chris Siebenmann for debugging this.
Fixes#11220.
Change-Id: Ib5077e182497155e84044683209590ee0f7c9dde
Reviewed-on: https://go-review.googlesource.com/11124
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Austin Clements <austin@google.com>
The test fails on Ubuntu Trusty for some reason, probably because of
some set of kernel patches.
Change-Id: I52f7ca50b96fea5725817c9e9198860d419f9313
Reviewed-on: https://go-review.googlesource.com/11055
Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com>
Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to
address a security issue.
The upshot of the 3.19 changes is that in order to update the 'gid_maps' file,
use of the setgroups() system call in this user namespace must first be disabled
by writing "deny" to one of the /proc/PID/setgroups files for this namespace.
Also added tests for remapping uid_map and gid_map inside new user
namespace.
Fixes#10626
Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7
Reviewed-on: https://go-review.googlesource.com/10670
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
