github.com/q45/go@v0.0.0-20151101211701-a4fb8c13db3f/src/syscall/exec_linux_test.go (about) 1 // Copyright 2015 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // +build linux 6 7 package syscall_test 8 9 import ( 10 "io/ioutil" 11 "os" 12 "os/exec" 13 "strings" 14 "syscall" 15 "testing" 16 ) 17 18 func whoamiCmd(t *testing.T, uid, gid int, setgroups bool) *exec.Cmd { 19 if _, err := os.Stat("/proc/self/ns/user"); err != nil { 20 if os.IsNotExist(err) { 21 t.Skip("kernel doesn't support user namespaces") 22 } 23 t.Fatalf("Failed to stat /proc/self/ns/user: %v", err) 24 } 25 // On some systems, there is a sysctl setting. 26 if os.Getuid() != 0 { 27 data, errRead := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone") 28 if errRead == nil && data[0] == '0' { 29 t.Skip("kernel prohibits user namespace in unprivileged process") 30 } 31 } 32 // When running under the Go continuous build, skip tests for 33 // now when under Kubernetes. (where things are root but not quite) 34 // Both of these are our own environment variables. 35 // See Issue 12815. 36 if os.Getenv("GO_BUILDER_NAME") != "" && os.Getenv("IN_KUBERNETES") == "1" { 37 t.Skip("skipping test on Kubernetes-based builders; see Issue 12815") 38 } 39 cmd := exec.Command("whoami") 40 cmd.SysProcAttr = &syscall.SysProcAttr{ 41 Cloneflags: syscall.CLONE_NEWUSER, 42 UidMappings: []syscall.SysProcIDMap{ 43 {ContainerID: 0, HostID: uid, Size: 1}, 44 }, 45 GidMappings: []syscall.SysProcIDMap{ 46 {ContainerID: 0, HostID: gid, Size: 1}, 47 }, 48 GidMappingsEnableSetgroups: setgroups, 49 } 50 return cmd 51 } 52 53 func testNEWUSERRemap(t *testing.T, uid, gid int, setgroups bool) { 54 cmd := whoamiCmd(t, uid, gid, setgroups) 55 out, err := cmd.CombinedOutput() 56 if err != nil { 57 t.Fatalf("Cmd failed with err %v, output: %s", err, out) 58 } 59 sout := strings.TrimSpace(string(out)) 60 want := "root" 61 if sout != want { 62 t.Fatalf("whoami = %q; want %q", out, want) 63 } 64 } 65 66 func TestCloneNEWUSERAndRemapRootDisableSetgroups(t *testing.T) { 67 if os.Getuid() != 0 { 68 t.Skip("skipping root only test") 69 } 70 testNEWUSERRemap(t, 0, 0, false) 71 } 72 73 func TestCloneNEWUSERAndRemapRootEnableSetgroups(t *testing.T) { 74 if os.Getuid() != 0 { 75 t.Skip("skipping root only test") 76 } 77 testNEWUSERRemap(t, 0, 0, false) 78 } 79 80 func TestCloneNEWUSERAndRemapNoRootDisableSetgroups(t *testing.T) { 81 if os.Getuid() == 0 { 82 t.Skip("skipping unprivileged user only test") 83 } 84 testNEWUSERRemap(t, os.Getuid(), os.Getgid(), false) 85 } 86 87 func TestCloneNEWUSERAndRemapNoRootSetgroupsEnableSetgroups(t *testing.T) { 88 if os.Getuid() == 0 { 89 t.Skip("skipping unprivileged user only test") 90 } 91 cmd := whoamiCmd(t, os.Getuid(), os.Getgid(), true) 92 err := cmd.Run() 93 if err == nil { 94 t.Skip("probably old kernel without security fix") 95 } 96 if !os.IsPermission(err) { 97 t.Fatalf("Unprivileged gid_map rewriting with GidMappingsEnableSetgroups must fail") 98 } 99 } 100 101 func TestEmptyCredGroupsDisableSetgroups(t *testing.T) { 102 cmd := whoamiCmd(t, os.Getuid(), os.Getgid(), false) 103 cmd.SysProcAttr.Credential = &syscall.Credential{} 104 if err := cmd.Run(); err != nil { 105 t.Fatal(err) 106 } 107 }