github.com/miolini/go@v0.0.0-20160405192216-fca68c8cb408/src/syscall/exec_linux_test.go (about) 1 // Copyright 2015 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // +build linux 6 7 package syscall_test 8 9 import ( 10 "io/ioutil" 11 "os" 12 "os/exec" 13 "strings" 14 "syscall" 15 "testing" 16 ) 17 18 // Check if we are in a chroot by checking if the inode of / is 19 // different from 2 (there is no better test available to non-root on 20 // linux). 21 func isChrooted(t *testing.T) bool { 22 root, err := os.Stat("/") 23 if err != nil { 24 t.Fatalf("cannot stat /: %v", err) 25 } 26 return root.Sys().(*syscall.Stat_t).Ino != 2 27 } 28 29 func whoamiCmd(t *testing.T, uid, gid int, setgroups bool) *exec.Cmd { 30 if _, err := os.Stat("/proc/self/ns/user"); err != nil { 31 if os.IsNotExist(err) { 32 t.Skip("kernel doesn't support user namespaces") 33 } 34 if os.IsPermission(err) { 35 t.Skip("unable to test user namespaces due to permissions") 36 } 37 t.Fatalf("Failed to stat /proc/self/ns/user: %v", err) 38 } 39 if isChrooted(t) { 40 // create_user_ns in the kernel (see 41 // https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/user_namespace.c) 42 // forbids the creation of user namespaces when chrooted. 43 t.Skip("cannot create user namespaces when chrooted") 44 } 45 // On some systems, there is a sysctl setting. 46 if os.Getuid() != 0 { 47 data, errRead := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone") 48 if errRead == nil && data[0] == '0' { 49 t.Skip("kernel prohibits user namespace in unprivileged process") 50 } 51 } 52 // When running under the Go continuous build, skip tests for 53 // now when under Kubernetes. (where things are root but not quite) 54 // Both of these are our own environment variables. 55 // See Issue 12815. 56 if os.Getenv("GO_BUILDER_NAME") != "" && os.Getenv("IN_KUBERNETES") == "1" { 57 t.Skip("skipping test on Kubernetes-based builders; see Issue 12815") 58 } 59 cmd := exec.Command("whoami") 60 cmd.SysProcAttr = &syscall.SysProcAttr{ 61 Cloneflags: syscall.CLONE_NEWUSER, 62 UidMappings: []syscall.SysProcIDMap{ 63 {ContainerID: 0, HostID: uid, Size: 1}, 64 }, 65 GidMappings: []syscall.SysProcIDMap{ 66 {ContainerID: 0, HostID: gid, Size: 1}, 67 }, 68 GidMappingsEnableSetgroups: setgroups, 69 } 70 return cmd 71 } 72 73 func testNEWUSERRemap(t *testing.T, uid, gid int, setgroups bool) { 74 cmd := whoamiCmd(t, uid, gid, setgroups) 75 out, err := cmd.CombinedOutput() 76 if err != nil { 77 t.Fatalf("Cmd failed with err %v, output: %s", err, out) 78 } 79 sout := strings.TrimSpace(string(out)) 80 want := "root" 81 if sout != want { 82 t.Fatalf("whoami = %q; want %q", out, want) 83 } 84 } 85 86 func TestCloneNEWUSERAndRemapRootDisableSetgroups(t *testing.T) { 87 if os.Getuid() != 0 { 88 t.Skip("skipping root only test") 89 } 90 testNEWUSERRemap(t, 0, 0, false) 91 } 92 93 func TestCloneNEWUSERAndRemapRootEnableSetgroups(t *testing.T) { 94 if os.Getuid() != 0 { 95 t.Skip("skipping root only test") 96 } 97 testNEWUSERRemap(t, 0, 0, false) 98 } 99 100 func TestCloneNEWUSERAndRemapNoRootDisableSetgroups(t *testing.T) { 101 if os.Getuid() == 0 { 102 t.Skip("skipping unprivileged user only test") 103 } 104 testNEWUSERRemap(t, os.Getuid(), os.Getgid(), false) 105 } 106 107 func TestCloneNEWUSERAndRemapNoRootSetgroupsEnableSetgroups(t *testing.T) { 108 if os.Getuid() == 0 { 109 t.Skip("skipping unprivileged user only test") 110 } 111 cmd := whoamiCmd(t, os.Getuid(), os.Getgid(), true) 112 err := cmd.Run() 113 if err == nil { 114 t.Skip("probably old kernel without security fix") 115 } 116 if !os.IsPermission(err) { 117 t.Fatalf("Unprivileged gid_map rewriting with GidMappingsEnableSetgroups must fail") 118 } 119 } 120 121 func TestEmptyCredGroupsDisableSetgroups(t *testing.T) { 122 cmd := whoamiCmd(t, os.Getuid(), os.Getgid(), false) 123 cmd.SysProcAttr.Credential = &syscall.Credential{} 124 if err := cmd.Run(); err != nil { 125 t.Fatal(err) 126 } 127 }