github.com/q45/go@v0.0.0-20151101211701-a4fb8c13db3f/src/syscall/exec_linux_test.go

github.com/q45/go@v0.0.0-20151101211701-a4fb8c13db3f/src/syscall/exec_linux_test.go (about)

     1  // Copyright 2015 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // +build linux
     6  
     7  package syscall_test
     8  
     9  import (
    10  	"io/ioutil"
    11  	"os"
    12  	"os/exec"
    13  	"strings"
    14  	"syscall"
    15  	"testing"
    16  )
    17  
    18  func whoamiCmd(t *testing.T, uid, gid int, setgroups bool) *exec.Cmd {
    19  	if _, err := os.Stat("/proc/self/ns/user"); err != nil {
    20  		if os.IsNotExist(err) {
    21  			t.Skip("kernel doesn't support user namespaces")
    22  		}
    23  		t.Fatalf("Failed to stat /proc/self/ns/user: %v", err)
    24  	}
    25  	// On some systems, there is a sysctl setting.
    26  	if os.Getuid() != 0 {
    27  		data, errRead := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")
    28  		if errRead == nil && data[0] == '0' {
    29  			t.Skip("kernel prohibits user namespace in unprivileged process")
    30  		}
    31  	}
    32  	// When running under the Go continuous build, skip tests for
    33  	// now when under Kubernetes. (where things are root but not quite)
    34  	// Both of these are our own environment variables.
    35  	// See Issue 12815.
    36  	if os.Getenv("GO_BUILDER_NAME") != "" && os.Getenv("IN_KUBERNETES") == "1" {
    37  		t.Skip("skipping test on Kubernetes-based builders; see Issue 12815")
    38  	}
    39  	cmd := exec.Command("whoami")
    40  	cmd.SysProcAttr = &syscall.SysProcAttr{
    41  		Cloneflags: syscall.CLONE_NEWUSER,
    42  		UidMappings: []syscall.SysProcIDMap{
    43  			{ContainerID: 0, HostID: uid, Size: 1},
    44  		},
    45  		GidMappings: []syscall.SysProcIDMap{
    46  			{ContainerID: 0, HostID: gid, Size: 1},
    47  		},
    48  		GidMappingsEnableSetgroups: setgroups,
    49  	}
    50  	return cmd
    51  }
    52  
    53  func testNEWUSERRemap(t *testing.T, uid, gid int, setgroups bool) {
    54  	cmd := whoamiCmd(t, uid, gid, setgroups)
    55  	out, err := cmd.CombinedOutput()
    56  	if err != nil {
    57  		t.Fatalf("Cmd failed with err %v, output: %s", err, out)
    58  	}
    59  	sout := strings.TrimSpace(string(out))
    60  	want := "root"
    61  	if sout != want {
    62  		t.Fatalf("whoami = %q; want %q", out, want)
    63  	}
    64  }
    65  
    66  func TestCloneNEWUSERAndRemapRootDisableSetgroups(t *testing.T) {
    67  	if os.Getuid() != 0 {
    68  		t.Skip("skipping root only test")
    69  	}
    70  	testNEWUSERRemap(t, 0, 0, false)
    71  }
    72  
    73  func TestCloneNEWUSERAndRemapRootEnableSetgroups(t *testing.T) {
    74  	if os.Getuid() != 0 {
    75  		t.Skip("skipping root only test")
    76  	}
    77  	testNEWUSERRemap(t, 0, 0, false)
    78  }
    79  
    80  func TestCloneNEWUSERAndRemapNoRootDisableSetgroups(t *testing.T) {
    81  	if os.Getuid() == 0 {
    82  		t.Skip("skipping unprivileged user only test")
    83  	}
    84  	testNEWUSERRemap(t, os.Getuid(), os.Getgid(), false)
    85  }
    86  
    87  func TestCloneNEWUSERAndRemapNoRootSetgroupsEnableSetgroups(t *testing.T) {
    88  	if os.Getuid() == 0 {
    89  		t.Skip("skipping unprivileged user only test")
    90  	}
    91  	cmd := whoamiCmd(t, os.Getuid(), os.Getgid(), true)
    92  	err := cmd.Run()
    93  	if err == nil {
    94  		t.Skip("probably old kernel without security fix")
    95  	}
    96  	if !os.IsPermission(err) {
    97  		t.Fatalf("Unprivileged gid_map rewriting with GidMappingsEnableSetgroups must fail")
    98  	}
    99  }
   100  
   101  func TestEmptyCredGroupsDisableSetgroups(t *testing.T) {
   102  	cmd := whoamiCmd(t, os.Getuid(), os.Getgid(), false)
   103  	cmd.SysProcAttr.Credential = &syscall.Credential{}
   104  	if err := cmd.Run(); err != nil {
   105  		t.Fatal(err)
   106  	}
   107  }