Despite its name, it did the same thing as
TestCloneNEWUSERAndRemapRootDisableSetgroups in old code. So fix it.
Change-Id: I21265e539179c51980e16f07a553a9bf5bb7903f
Reviewed-on: https://go-review.googlesource.com/35273
Run-TryBot: David Crawshaw <crawshaw@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: David Crawshaw <crawshaw@golang.org>
For those tests there won't be enough permissions in containers.
I decided to go this way instead of just skipping os.IsPermission errors because
many of those tests were specifically written to check false positive permission
errors.
Fixes#21379
Change-Id: Ie25e1d6d47f85bb6b570352638440f3ac1e18e03
Reviewed-on: https://go-review.googlesource.com/58170
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Usually this test is skipped (on builders and when not root), so
people are unlikely to see this error.
Updates #19296
Change-Id: I3acb81260034dad8776c305f83d7cbac4b718e75
Reviewed-on: https://go-review.googlesource.com/48191
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
When unshare specifies a new namespace, the syscall
package changes / to make namespace changes private.
If a chroot is specified, the unshare must be done first.
If the chroot is done first then the unshare will
not specify the correct /.
A new test is included which test combining chroot
and CLONE_NEWNS; it fails without the patch and works with
it.
Fixes#20103
Change-Id: I86022803c784bd418a30383321f3d64103d95c62
Reviewed-on: https://go-review.googlesource.com/41626
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
This updates TestGroupCleanup and TestGroupCleanupUserNamespace to pass in the
Alpine builder.
Updates #19938
Change-Id: Iacbfd73782eccd57f872f9e85726c6024529c277
Reviewed-on: https://go-review.googlesource.com/40692
Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Daniel Martí <mvdan@mvdan.cc>
TryBot-Result: Gobot Gobot <gobot@golang.org>
TestUnshareMountNameSpace fails on arm64 due to permission problems.
Skip that test for now when permission problems are encountered, so we
don't regress elsewhere in the meantime.
Updates #19698
Change-Id: I9058928afa474b813652c9489f343b8957160a6c
Reviewed-on: https://go-review.googlesource.com/39052
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Josh Bleecher Snyder <josharian@gmail.com>
In some newer Linux distros, systemd forces
all mount namespaces to be shared, starting
at /. This disables the CLONE_NEWNS
flag in unshare(2) and clone(2).
While this problem is most commonly seen
on systems with systemd, it can happen anywhere,
due to how Linux namespaces now work.
Hence, to create a private mount namespace,
it is not sufficient to just set
CLONE_NEWS; you have to call mount(2) to change
the behavior of namespaces, i.e.
mount("none", "/", NULL, MS_REC|MS_PRIVATE, NULL)
This is tested and working and we can now correctly
start child process with private namespaces on Linux
distros that use systemd.
The new test works correctly on Ubuntu 16.04.2 LTS.
It fails if I comment out the new Mount, and
succeeds otherwise. In each case it correctly
cleans up after itself.
Fixes#19661
Change-Id: I52240b59628e3772b529d9bbef7166606b0c157d
Reviewed-on: https://go-review.googlesource.com/38471
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Fixes#17224.
Some systems have more than just "lo" in a fresh network namespace, due
to IPv6. Instead of testing for exactly 3 lines of output (implying 1
interface), just test to make sure that the unshare call resulted in
fewer interfaces than before. This should still verify that unshare did
something.
Change-Id: Iaf84c2b0e673fc207059d62e2f4dd7583a753419
Reviewed-on: https://go-review.googlesource.com/30372
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Jessica Frazelle <me@jessfraz.com>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
This should fix the report at #16224, and also fixes running the test as
root on my Ubuntu Trusty system.
Fixes#16224.
Change-Id: I4e3b5527aa63366afb33a7e30efab088d34fb302
Reviewed-on: https://go-review.googlesource.com/24670
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Fixes#16056.
Change-Id: Ic3343914742713851b8ae969b101521f25e85e7b
Reviewed-on: https://go-review.googlesource.com/24132
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Skip setgroups only for one particular case: GidMappings != nil and
GidMappingsEnableSetgroup == false and list of supplementary groups is
empty.
This patch returns pre-1.5 behavior for simple exec and still allows to
use GidMappings with non-empty Credential.
Change-Id: Ia91c77e76ec5efab7a7f78134ffb529910108fc1
Reviewed-on: https://go-review.googlesource.com/23524
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
For symmetry with Cloneflags and it looks slightly weird because there
is syscall.Unshare method.
Change-Id: I3d710177ca8f27c05b344407f212cbbe3435094b
Reviewed-on: https://go-review.googlesource.com/23612
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Rob Pike <r@golang.org>
This patch adds Unshare flags to SysProcAttr for Linux systems.
Fixes#1954
Change-Id: Id819c3f92b1474e5a06dd8d55f89d74a43eb770c
Reviewed-on: https://go-review.googlesource.com/23233
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Fixes#14693
Change-Id: Id0a6a80b4c37c0b0f1c2755667b7233ed8964e40
Reviewed-on: https://go-review.googlesource.com/20342
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
The kernel rejects attempts to create user namespaces when in a chroot.
Change-Id: I6548302732c8f5be52f4167cd7233aea16839ad8
Reviewed-on: https://go-review.googlesource.com/17214
Reviewed-by: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Change-Id: If0d00999c58f7421e4da06e1822ba5abccf72cac
Reviewed-on: https://go-review.googlesource.com/14111
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
This is basic validation and should be performed early
Fixes#12412
Change-Id: I903f7eeafdc22376704985a53d649698cf9d8ef4
Reviewed-on: https://go-review.googlesource.com/14110
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Setgroups with zero-length groups is no-op for changing groups and
supposed to be used only for determining curent groups length. Also
because we deny setgroups by default if use GidMappings we have
unnecessary error from that no-op syscall.
Change-Id: I8f74fbca9190a3dcbbef1d886c518e01fa05eb62
Reviewed-on: https://go-review.googlesource.com/13938
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Some Linux kernels apparently have a sysctl that prohibits
nonprivileged processes from creating user namespaces. If we see a
failure for that reason, skip the test.
Fixes#11261.
Change-Id: I82dfcaf475eea4eaa387941373ce7165df4848ad
Reviewed-on: https://go-review.googlesource.com/11269
Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com>
The problem was not the kernel version as I thought before, it was
that the test used the same number for both the UID and the GID.
Thanks to Chris Siebenmann for debugging this.
Fixes#11220.
Change-Id: Ib5077e182497155e84044683209590ee0f7c9dde
Reviewed-on: https://go-review.googlesource.com/11124
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Austin Clements <austin@google.com>
The test fails on Ubuntu Trusty for some reason, probably because of
some set of kernel patches.
Change-Id: I52f7ca50b96fea5725817c9e9198860d419f9313
Reviewed-on: https://go-review.googlesource.com/11055
Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com>
Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to
address a security issue.
The upshot of the 3.19 changes is that in order to update the 'gid_maps' file,
use of the setgroups() system call in this user namespace must first be disabled
by writing "deny" to one of the /proc/PID/setgroups files for this namespace.
Also added tests for remapping uid_map and gid_map inside new user
namespace.
Fixes#10626
Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7
Reviewed-on: https://go-review.googlesource.com/10670
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
