exec_linux.go

     1  // Copyright 2011 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  //go:build linux
     6  
     7  package syscall
     8  
     9  import (
    10  	errpkg "errors"
    11  	"internal/strconv"
    12  	"runtime"
    13  	"unsafe"
    14  )
    15  
    16  // Linux unshare/clone/clone2/clone3 flags, architecture-independent,
    17  // copied from linux/sched.h.
    18  const (
    19  	CLONE_VM             = 0x00000100 // set if VM shared between processes
    20  	CLONE_FS             = 0x00000200 // set if fs info shared between processes
    21  	CLONE_FILES          = 0x00000400 // set if open files shared between processes
    22  	CLONE_SIGHAND        = 0x00000800 // set if signal handlers and blocked signals shared
    23  	CLONE_PIDFD          = 0x00001000 // set if a pidfd should be placed in parent
    24  	CLONE_PTRACE         = 0x00002000 // set if we want to let tracing continue on the child too
    25  	CLONE_VFORK          = 0x00004000 // set if the parent wants the child to wake it up on mm_release
    26  	CLONE_PARENT         = 0x00008000 // set if we want to have the same parent as the cloner
    27  	CLONE_THREAD         = 0x00010000 // Same thread group?
    28  	CLONE_NEWNS          = 0x00020000 // New mount namespace group
    29  	CLONE_SYSVSEM        = 0x00040000 // share system V SEM_UNDO semantics
    30  	CLONE_SETTLS         = 0x00080000 // create a new TLS for the child
    31  	CLONE_PARENT_SETTID  = 0x00100000 // set the TID in the parent
    32  	CLONE_CHILD_CLEARTID = 0x00200000 // clear the TID in the child
    33  	CLONE_DETACHED       = 0x00400000 // Unused, ignored
    34  	CLONE_UNTRACED       = 0x00800000 // set if the tracing process can't force CLONE_PTRACE on this clone
    35  	CLONE_CHILD_SETTID   = 0x01000000 // set the TID in the child
    36  	CLONE_NEWCGROUP      = 0x02000000 // New cgroup namespace
    37  	CLONE_NEWUTS         = 0x04000000 // New utsname namespace
    38  	CLONE_NEWIPC         = 0x08000000 // New ipc namespace
    39  	CLONE_NEWUSER        = 0x10000000 // New user namespace
    40  	CLONE_NEWPID         = 0x20000000 // New pid namespace
    41  	CLONE_NEWNET         = 0x40000000 // New network namespace
    42  	CLONE_IO             = 0x80000000 // Clone io context
    43  
    44  	// Flags for the clone3() syscall.
    45  
    46  	CLONE_CLEAR_SIGHAND = 0x100000000 // Clear any signal handler and reset to SIG_DFL.
    47  	CLONE_INTO_CGROUP   = 0x200000000 // Clone into a specific cgroup given the right permissions.
    48  
    49  	// Cloning flags intersect with CSIGNAL so can be used with unshare and clone3
    50  	// syscalls only:
    51  
    52  	CLONE_NEWTIME = 0x00000080 // New time namespace
    53  )
    54  
    55  // SysProcIDMap holds Container ID to Host ID mappings used for User Namespaces in Linux.
    56  // See user_namespaces(7).
    57  //
    58  // Note that User Namespaces are not available on a number of popular Linux
    59  // versions (due to security issues), or are available but subject to AppArmor
    60  // restrictions like in Ubuntu 24.04.
    61  type SysProcIDMap struct {
    62  	ContainerID int // Container ID.
    63  	HostID      int // Host ID.
    64  	Size        int // Size.
    65  }
    66  
    67  type SysProcAttr struct {
    68  	Chroot     string      // Chroot.
    69  	Credential *Credential // Credential.
    70  	// Ptrace tells the child to call ptrace(PTRACE_TRACEME).
    71  	// Call runtime.LockOSThread before starting a process with this set,
    72  	// and don't call UnlockOSThread until done with PtraceSyscall calls.
    73  	Ptrace bool
    74  	Setsid bool // Create session.
    75  	// Setpgid sets the process group ID of the child to Pgid,
    76  	// or, if Pgid == 0, to the new child's process ID.
    77  	Setpgid bool
    78  	// Setctty sets the controlling terminal of the child to
    79  	// file descriptor Ctty. Ctty must be a descriptor number
    80  	// in the child process: an index into ProcAttr.Files.
    81  	// This is only meaningful if Setsid is true.
    82  	Setctty bool
    83  	Noctty  bool // Detach fd 0 from controlling terminal.
    84  	Ctty    int  // Controlling TTY fd.
    85  	// Foreground places the child process group in the foreground.
    86  	// This implies Setpgid. The Ctty field must be set to
    87  	// the descriptor of the controlling TTY.
    88  	// Unlike Setctty, in this case Ctty must be a descriptor
    89  	// number in the parent process.
    90  	Foreground bool
    91  	Pgid       int // Child's process group ID if Setpgid.
    92  	// Pdeathsig, if non-zero, is a signal that the kernel will send to
    93  	// the child process when the creating thread dies. Note that the signal
    94  	// is sent on thread termination, which may happen before process termination.
    95  	// There are more details at https://go.dev/issue/27505.
    96  	Pdeathsig    Signal
    97  	Cloneflags   uintptr        // Flags for clone calls.
    98  	Unshareflags uintptr        // Flags for unshare calls.
    99  	UidMappings  []SysProcIDMap // User ID mappings for user namespaces.
   100  	GidMappings  []SysProcIDMap // Group ID mappings for user namespaces.
   101  	// GidMappingsEnableSetgroups enabling setgroups syscall.
   102  	// If false, then setgroups syscall will be disabled for the child process.
   103  	// This parameter is no-op if GidMappings == nil. Otherwise for unprivileged
   104  	// users this should be set to false for mappings work.
   105  	GidMappingsEnableSetgroups bool
   106  	AmbientCaps                []uintptr // Ambient capabilities.
   107  	UseCgroupFD                bool      // Whether to make use of the CgroupFD field.
   108  	CgroupFD                   int       // File descriptor of a cgroup to put the new process into.
   109  	// PidFD, if not nil, is used to store the pidfd of a child, if the
   110  	// functionality is supported by the kernel, or -1. Note *PidFD is
   111  	// changed only if the process starts successfully.
   112  	PidFD *int
   113  }
   114  
   115  var (
   116  	none  = [...]byte{'n', 'o', 'n', 'e', 0}
   117  	slash = [...]byte{'/', 0}
   118  
   119  	forceClone3 = false // Used by unit tests only.
   120  )
   121  
   122  // Implemented in runtime package.
   123  func runtime_BeforeFork()
   124  func runtime_AfterFork()
   125  func runtime_AfterForkInChild()
   126  
   127  // Fork, dup fd onto 0..len(fd), and exec(argv0, argvv, envv) in child.
   128  // If a dup or exec fails, write the errno error to pipe.
   129  // (Pipe is close-on-exec so if exec succeeds, it will be closed.)
   130  // In the child, this function must not acquire any locks, because
   131  // they might have been locked at the time of the fork. This means
   132  // no rescheduling, no malloc calls, and no new stack segments.
   133  // For the same reason compiler does not race instrument it.
   134  // The calls to RawSyscall are okay because they are assembly
   135  // functions that do not grow the stack.
   136  //
   137  //go:norace
   138  func forkAndExecInChild(argv0 *byte, argv, envv []*byte, chroot, dir *byte, attr *ProcAttr, sys *SysProcAttr, pipe int) (pid int, err Errno) {
   139  	// Set up and fork. This returns immediately in the parent or
   140  	// if there's an error.
   141  	upid, pidfd, err, mapPipe, locked := forkAndExecInChild1(argv0, argv, envv, chroot, dir, attr, sys, pipe)
   142  	if locked {
   143  		runtime_AfterFork()
   144  	}
   145  	if err != 0 {
   146  		return 0, err
   147  	}
   148  
   149  	// parent; return PID
   150  	pid = int(upid)
   151  	if sys.PidFD != nil {
   152  		*sys.PidFD = int(pidfd)
   153  	}
   154  
   155  	if sys.UidMappings != nil || sys.GidMappings != nil {
   156  		Close(mapPipe[0])
   157  		var err2 Errno
   158  		// uid/gid mappings will be written after fork and unshare(2) for user
   159  		// namespaces.
   160  		if sys.Unshareflags&CLONE_NEWUSER == 0 {
   161  			if err := writeUidGidMappings(pid, sys); err != nil {
   162  				err2 = err.(Errno)
   163  			}
   164  		}
   165  		RawSyscall(SYS_WRITE, uintptr(mapPipe[1]), uintptr(unsafe.Pointer(&err2)), unsafe.Sizeof(err2))
   166  		Close(mapPipe[1])
   167  	}
   168  
   169  	return pid, 0
   170  }
   171  
   172  const _LINUX_CAPABILITY_VERSION_3 = 0x20080522
   173  
   174  type capHeader struct {
   175  	version uint32
   176  	pid     int32
   177  }
   178  
   179  type capData struct {
   180  	effective   uint32
   181  	permitted   uint32
   182  	inheritable uint32
   183  }
   184  type caps struct {
   185  	hdr  capHeader
   186  	data [2]capData
   187  }
   188  
   189  // See CAP_TO_INDEX in linux/capability.h:
   190  func capToIndex(cap uintptr) uintptr { return cap >> 5 }
   191  
   192  // See CAP_TO_MASK in linux/capability.h:
   193  func capToMask(cap uintptr) uint32 { return 1 << uint(cap&31) }
   194  
   195  // cloneArgs holds arguments for clone3 Linux syscall.
   196  type cloneArgs struct {
   197  	flags      uint64 // Flags bit mask
   198  	pidFD      uint64 // Where to store PID file descriptor (int *)
   199  	childTID   uint64 // Where to store child TID, in child's memory (pid_t *)
   200  	parentTID  uint64 // Where to store child TID, in parent's memory (pid_t *)
   201  	exitSignal uint64 // Signal to deliver to parent on child termination
   202  	stack      uint64 // Pointer to lowest byte of stack
   203  	stackSize  uint64 // Size of stack
   204  	tls        uint64 // Location of new TLS
   205  	setTID     uint64 // Pointer to a pid_t array (since Linux 5.5)
   206  	setTIDSize uint64 // Number of elements in set_tid (since Linux 5.5)
   207  	cgroup     uint64 // File descriptor for target cgroup of child (since Linux 5.7)
   208  }
   209  
   210  // forkAndExecInChild1 implements the body of forkAndExecInChild up to
   211  // the parent's post-fork path. This is a separate function so we can
   212  // separate the child's and parent's stack frames if we're using
   213  // vfork.
   214  //
   215  // This is go:noinline because the point is to keep the stack frames
   216  // of this and forkAndExecInChild separate.
   217  //
   218  //go:noinline
   219  //go:norace
   220  //go:nocheckptr
   221  func forkAndExecInChild1(argv0 *byte, argv, envv []*byte, chroot, dir *byte, attr *ProcAttr, sys *SysProcAttr, pipe int) (pid uintptr, pidfd int32, err1 Errno, mapPipe [2]int, locked bool) {
   222  	// Defined in linux/prctl.h starting with Linux 4.3.
   223  	const (
   224  		PR_CAP_AMBIENT       = 0x2f
   225  		PR_CAP_AMBIENT_RAISE = 0x2
   226  	)
   227  
   228  	// vfork requires that the child not touch any of the parent's
   229  	// active stack frames. Hence, the child does all post-fork
   230  	// processing in this stack frame and never returns, while the
   231  	// parent returns immediately from this frame and does all
   232  	// post-fork processing in the outer frame.
   233  	//
   234  	// Declare all variables at top in case any
   235  	// declarations require heap allocation (e.g., err2).
   236  	// ":=" should not be used to declare any variable after
   237  	// the call to runtime_BeforeFork.
   238  	//
   239  	// NOTE(bcmills): The allocation behavior described in the above comment
   240  	// seems to lack a corresponding test, and it may be rendered invalid
   241  	// by an otherwise-correct change in the compiler.
   242  	var (
   243  		err2                      Errno
   244  		nextfd                    int
   245  		i                         int
   246  		caps                      caps
   247  		fd1, flags, ppid          uintptr
   248  		puid, psetgroups, pgid    []byte
   249  		uidmap, setgroups, gidmap []byte
   250  		clone3                    *cloneArgs
   251  		pgrp                      int32
   252  		dirfd                     int
   253  		cred                      *Credential
   254  		ngroups, groups           uintptr
   255  		c                         uintptr
   256  		rlim                      *Rlimit
   257  		lim                       Rlimit
   258  	)
   259  	pidfd = -1
   260  
   261  	rlim = origRlimitNofile.Load()
   262  
   263  	if sys.UidMappings != nil {
   264  		puid = []byte("/proc/self/uid_map\000")
   265  		uidmap = formatIDMappings(sys.UidMappings)
   266  	}
   267  
   268  	if sys.GidMappings != nil {
   269  		psetgroups = []byte("/proc/self/setgroups\000")
   270  		pgid = []byte("/proc/self/gid_map\000")
   271  
   272  		if sys.GidMappingsEnableSetgroups {
   273  			setgroups = []byte("allow\000")
   274  		} else {
   275  			setgroups = []byte("deny\000")
   276  		}
   277  		gidmap = formatIDMappings(sys.GidMappings)
   278  	}
   279  
   280  	// Record parent PID so child can test if it has died.
   281  	if sys.Pdeathsig != 0 {
   282  		ppid, _ = rawSyscallNoError(SYS_GETPID, 0, 0, 0)
   283  	}
   284  
   285  	// Guard against side effects of shuffling fds below.
   286  	// Make sure that nextfd is beyond any currently open files so
   287  	// that we can't run the risk of overwriting any of them.
   288  	fd := make([]int, len(attr.Files))
   289  	nextfd = len(attr.Files)
   290  	for i, ufd := range attr.Files {
   291  		if nextfd < int(ufd) {
   292  			nextfd = int(ufd)
   293  		}
   294  		fd[i] = int(ufd)
   295  	}
   296  	nextfd++
   297  
   298  	// Allocate another pipe for parent to child communication for
   299  	// synchronizing writing of User ID/Group ID mappings.
   300  	if sys.UidMappings != nil || sys.GidMappings != nil {
   301  		if err := forkExecPipe(mapPipe[:]); err != nil {
   302  			err1 = err.(Errno)
   303  			return
   304  		}
   305  	}
   306  
   307  	flags = sys.Cloneflags
   308  	if sys.Cloneflags&CLONE_NEWUSER == 0 && sys.Unshareflags&CLONE_NEWUSER == 0 {
   309  		flags |= CLONE_VFORK | CLONE_VM
   310  	}
   311  	if sys.PidFD != nil {
   312  		flags |= CLONE_PIDFD
   313  	}
   314  	// Whether to use clone3.
   315  	if sys.UseCgroupFD || flags&CLONE_NEWTIME != 0 || forceClone3 {
   316  		clone3 = &cloneArgs{
   317  			flags:      uint64(flags),
   318  			exitSignal: uint64(SIGCHLD),
   319  		}
   320  		if sys.UseCgroupFD {
   321  			clone3.flags |= CLONE_INTO_CGROUP
   322  			clone3.cgroup = uint64(sys.CgroupFD)
   323  		}
   324  		if sys.PidFD != nil {
   325  			clone3.pidFD = uint64(uintptr(unsafe.Pointer(&pidfd)))
   326  		}
   327  	}
   328  
   329  	// About to call fork.
   330  	// No more allocation or calls of non-assembly functions.
   331  	runtime_BeforeFork()
   332  	locked = true
   333  	if clone3 != nil {
   334  		pid, err1 = rawVforkSyscall(_SYS_clone3, uintptr(unsafe.Pointer(clone3)), unsafe.Sizeof(*clone3), 0)
   335  	} else {
   336  		// N.B. Keep in sync with doCheckClonePidfd.
   337  		flags |= uintptr(SIGCHLD)
   338  		if runtime.GOARCH == "s390x" {
   339  			// On Linux/s390, the first two arguments of clone(2) are swapped.
   340  			pid, err1 = rawVforkSyscall(SYS_CLONE, 0, flags, uintptr(unsafe.Pointer(&pidfd)))
   341  		} else {
   342  			pid, err1 = rawVforkSyscall(SYS_CLONE, flags, 0, uintptr(unsafe.Pointer(&pidfd)))
   343  		}
   344  	}
   345  	if err1 != 0 || pid != 0 {
   346  		// If we're in the parent, we must return immediately
   347  		// so we're not in the same stack frame as the child.
   348  		// This can at most use the return PC, which the child
   349  		// will not modify, and the results of
   350  		// rawVforkSyscall, which must have been written after
   351  		// the child was replaced.
   352  		return
   353  	}
   354  
   355  	// Fork succeeded, now in child.
   356  
   357  	// Enable the "keep capabilities" flag to set ambient capabilities later.
   358  	if len(sys.AmbientCaps) > 0 {
   359  		_, _, err1 = RawSyscall6(SYS_PRCTL, PR_SET_KEEPCAPS, 1, 0, 0, 0, 0)
   360  		if err1 != 0 {
   361  			goto childerror
   362  		}
   363  	}
   364  
   365  	// Wait for User ID/Group ID mappings to be written.
   366  	if sys.UidMappings != nil || sys.GidMappings != nil {
   367  		if _, _, err1 = RawSyscall(SYS_CLOSE, uintptr(mapPipe[1]), 0, 0); err1 != 0 {
   368  			goto childerror
   369  		}
   370  		c, _, err1 = RawSyscall(SYS_READ, uintptr(mapPipe[0]), uintptr(unsafe.Pointer(&err2)), unsafe.Sizeof(err2))
   371  		if err1 != 0 {
   372  			goto childerror
   373  		}
   374  		if c != unsafe.Sizeof(err2) {
   375  			err1 = EINVAL
   376  			goto childerror
   377  		}
   378  		if err2 != 0 {
   379  			err1 = err2
   380  			goto childerror
   381  		}
   382  	}
   383  
   384  	// Session ID
   385  	if sys.Setsid {
   386  		_, _, err1 = RawSyscall(SYS_SETSID, 0, 0, 0)
   387  		if err1 != 0 {
   388  			goto childerror
   389  		}
   390  	}
   391  
   392  	// Set process group
   393  	if sys.Setpgid || sys.Foreground {
   394  		// Place child in process group.
   395  		_, _, err1 = RawSyscall(SYS_SETPGID, 0, uintptr(sys.Pgid), 0)
   396  		if err1 != 0 {
   397  			goto childerror
   398  		}
   399  	}
   400  
   401  	if sys.Foreground {
   402  		pgrp = int32(sys.Pgid)
   403  		if pgrp == 0 {
   404  			pid, _ = rawSyscallNoError(SYS_GETPID, 0, 0, 0)
   405  
   406  			pgrp = int32(pid)
   407  		}
   408  
   409  		// Place process group in foreground.
   410  		_, _, err1 = RawSyscall(SYS_IOCTL, uintptr(sys.Ctty), uintptr(TIOCSPGRP), uintptr(unsafe.Pointer(&pgrp)))
   411  		if err1 != 0 {
   412  			goto childerror
   413  		}
   414  	}
   415  
   416  	// Restore the signal mask. We do this after TIOCSPGRP to avoid
   417  	// having the kernel send a SIGTTOU signal to the process group.
   418  	runtime_AfterForkInChild()
   419  
   420  	// Unshare
   421  	if sys.Unshareflags != 0 {
   422  		_, _, err1 = RawSyscall(SYS_UNSHARE, sys.Unshareflags, 0, 0)
   423  		if err1 != 0 {
   424  			goto childerror
   425  		}
   426  
   427  		if sys.Unshareflags&CLONE_NEWUSER != 0 && sys.GidMappings != nil {
   428  			dirfd = int(_AT_FDCWD)
   429  			if fd1, _, err1 = RawSyscall6(SYS_OPENAT, uintptr(dirfd), uintptr(unsafe.Pointer(&psetgroups[0])), uintptr(O_WRONLY), 0, 0, 0); err1 != 0 {
   430  				goto childerror
   431  			}
   432  			_, _, err1 = RawSyscall(SYS_WRITE, fd1, uintptr(unsafe.Pointer(&setgroups[0])), uintptr(len(setgroups)))
   433  			if err1 != 0 {
   434  				goto childerror
   435  			}
   436  			if _, _, err1 = RawSyscall(SYS_CLOSE, fd1, 0, 0); err1 != 0 {
   437  				goto childerror
   438  			}
   439  
   440  			if fd1, _, err1 = RawSyscall6(SYS_OPENAT, uintptr(dirfd), uintptr(unsafe.Pointer(&pgid[0])), uintptr(O_WRONLY), 0, 0, 0); err1 != 0 {
   441  				goto childerror
   442  			}
   443  			_, _, err1 = RawSyscall(SYS_WRITE, fd1, uintptr(unsafe.Pointer(&gidmap[0])), uintptr(len(gidmap)))
   444  			if err1 != 0 {
   445  				goto childerror
   446  			}
   447  			if _, _, err1 = RawSyscall(SYS_CLOSE, fd1, 0, 0); err1 != 0 {
   448  				goto childerror
   449  			}
   450  		}
   451  
   452  		if sys.Unshareflags&CLONE_NEWUSER != 0 && sys.UidMappings != nil {
   453  			dirfd = int(_AT_FDCWD)
   454  			if fd1, _, err1 = RawSyscall6(SYS_OPENAT, uintptr(dirfd), uintptr(unsafe.Pointer(&puid[0])), uintptr(O_WRONLY), 0, 0, 0); err1 != 0 {
   455  				goto childerror
   456  			}
   457  			_, _, err1 = RawSyscall(SYS_WRITE, fd1, uintptr(unsafe.Pointer(&uidmap[0])), uintptr(len(uidmap)))
   458  			if err1 != 0 {
   459  				goto childerror
   460  			}
   461  			if _, _, err1 = RawSyscall(SYS_CLOSE, fd1, 0, 0); err1 != 0 {
   462  				goto childerror
   463  			}
   464  		}
   465  
   466  		// The unshare system call in Linux doesn't unshare mount points
   467  		// mounted with --shared. Systemd mounts / with --shared. For a
   468  		// long discussion of the pros and cons of this see debian bug 739593.
   469  		// The Go model of unsharing is more like Plan 9, where you ask
   470  		// to unshare and the namespaces are unconditionally unshared.
   471  		// To make this model work we must further mark / as MS_PRIVATE.
   472  		// This is what the standard unshare command does.
   473  		if sys.Unshareflags&CLONE_NEWNS == CLONE_NEWNS {
   474  			_, _, err1 = RawSyscall6(SYS_MOUNT, uintptr(unsafe.Pointer(&none[0])), uintptr(unsafe.Pointer(&slash[0])), 0, MS_REC|MS_PRIVATE, 0, 0)
   475  			if err1 != 0 {
   476  				goto childerror
   477  			}
   478  		}
   479  	}
   480  
   481  	// Chroot
   482  	if chroot != nil {
   483  		_, _, err1 = RawSyscall(SYS_CHROOT, uintptr(unsafe.Pointer(chroot)), 0, 0)
   484  		if err1 != 0 {
   485  			goto childerror
   486  		}
   487  	}
   488  
   489  	// User and groups
   490  	if cred = sys.Credential; cred != nil {
   491  		ngroups = uintptr(len(cred.Groups))
   492  		groups = uintptr(0)
   493  		if ngroups > 0 {
   494  			groups = uintptr(unsafe.Pointer(&cred.Groups[0]))
   495  		}
   496  		if !(sys.GidMappings != nil && !sys.GidMappingsEnableSetgroups && ngroups == 0) && !cred.NoSetGroups {
   497  			_, _, err1 = RawSyscall(_SYS_setgroups, ngroups, groups, 0)
   498  			if err1 != 0 {
   499  				goto childerror
   500  			}
   501  		}
   502  		_, _, err1 = RawSyscall(sys_SETGID, uintptr(cred.Gid), 0, 0)
   503  		if err1 != 0 {
   504  			goto childerror
   505  		}
   506  		_, _, err1 = RawSyscall(sys_SETUID, uintptr(cred.Uid), 0, 0)
   507  		if err1 != 0 {
   508  			goto childerror
   509  		}
   510  	}
   511  
   512  	if len(sys.AmbientCaps) != 0 {
   513  		// Ambient capabilities were added in the 4.3 kernel,
   514  		// so it is safe to always use _LINUX_CAPABILITY_VERSION_3.
   515  		caps.hdr.version = _LINUX_CAPABILITY_VERSION_3
   516  
   517  		if _, _, err1 = RawSyscall(SYS_CAPGET, uintptr(unsafe.Pointer(&caps.hdr)), uintptr(unsafe.Pointer(&caps.data[0])), 0); err1 != 0 {
   518  			goto childerror
   519  		}
   520  
   521  		for _, c = range sys.AmbientCaps {
   522  			// Add the c capability to the permitted and inheritable capability mask,
   523  			// otherwise we will not be able to add it to the ambient capability mask.
   524  			caps.data[capToIndex(c)].permitted |= capToMask(c)
   525  			caps.data[capToIndex(c)].inheritable |= capToMask(c)
   526  		}
   527  
   528  		if _, _, err1 = RawSyscall(SYS_CAPSET, uintptr(unsafe.Pointer(&caps.hdr)), uintptr(unsafe.Pointer(&caps.data[0])), 0); err1 != 0 {
   529  			goto childerror
   530  		}
   531  
   532  		for _, c = range sys.AmbientCaps {
   533  			_, _, err1 = RawSyscall6(SYS_PRCTL, PR_CAP_AMBIENT, uintptr(PR_CAP_AMBIENT_RAISE), c, 0, 0, 0)
   534  			if err1 != 0 {
   535  				goto childerror
   536  			}
   537  		}
   538  	}
   539  
   540  	// Chdir
   541  	if dir != nil {
   542  		_, _, err1 = RawSyscall(SYS_CHDIR, uintptr(unsafe.Pointer(dir)), 0, 0)
   543  		if err1 != 0 {
   544  			goto childerror
   545  		}
   546  	}
   547  
   548  	// Parent death signal
   549  	if sys.Pdeathsig != 0 {
   550  		_, _, err1 = RawSyscall6(SYS_PRCTL, PR_SET_PDEATHSIG, uintptr(sys.Pdeathsig), 0, 0, 0, 0)
   551  		if err1 != 0 {
   552  			goto childerror
   553  		}
   554  
   555  		// Signal self if parent is already dead. This might cause a
   556  		// duplicate signal in rare cases, but it won't matter when
   557  		// using SIGKILL.
   558  		pid, _ = rawSyscallNoError(SYS_GETPPID, 0, 0, 0)
   559  		if pid != ppid {
   560  			pid, _ = rawSyscallNoError(SYS_GETPID, 0, 0, 0)
   561  			_, _, err1 = RawSyscall(SYS_KILL, pid, uintptr(sys.Pdeathsig), 0)
   562  			if err1 != 0 {
   563  				goto childerror
   564  			}
   565  		}
   566  	}
   567  
   568  	// Pass 1: look for fd[i] < i and move those up above len(fd)
   569  	// so that pass 2 won't stomp on an fd it needs later.
   570  	if pipe < nextfd {
   571  		_, _, err1 = RawSyscall(SYS_DUP3, uintptr(pipe), uintptr(nextfd), O_CLOEXEC)
   572  		if err1 != 0 {
   573  			goto childerror
   574  		}
   575  		pipe = nextfd
   576  		nextfd++
   577  	}
   578  	for i = 0; i < len(fd); i++ {
   579  		if fd[i] >= 0 && fd[i] < i {
   580  			if nextfd == pipe { // don't stomp on pipe
   581  				nextfd++
   582  			}
   583  			_, _, err1 = RawSyscall(SYS_DUP3, uintptr(fd[i]), uintptr(nextfd), O_CLOEXEC)
   584  			if err1 != 0 {
   585  				goto childerror
   586  			}
   587  			fd[i] = nextfd
   588  			nextfd++
   589  		}
   590  	}
   591  
   592  	// Pass 2: dup fd[i] down onto i.
   593  	for i = 0; i < len(fd); i++ {
   594  		if fd[i] == -1 {
   595  			RawSyscall(SYS_CLOSE, uintptr(i), 0, 0)
   596  			continue
   597  		}
   598  		if fd[i] == i {
   599  			// dup2(i, i) won't clear close-on-exec flag on Linux,
   600  			// probably not elsewhere either.
   601  			_, _, err1 = RawSyscall(fcntl64Syscall, uintptr(fd[i]), F_SETFD, 0)
   602  			if err1 != 0 {
   603  				goto childerror
   604  			}
   605  			continue
   606  		}
   607  		// The new fd is created NOT close-on-exec,
   608  		// which is exactly what we want.
   609  		_, _, err1 = RawSyscall(SYS_DUP3, uintptr(fd[i]), uintptr(i), 0)
   610  		if err1 != 0 {
   611  			goto childerror
   612  		}
   613  	}
   614  
   615  	// By convention, we don't close-on-exec the fds we are
   616  	// started with, so if len(fd) < 3, close 0, 1, 2 as needed.
   617  	// Programs that know they inherit fds >= 3 will need
   618  	// to set them close-on-exec.
   619  	for i = len(fd); i < 3; i++ {
   620  		RawSyscall(SYS_CLOSE, uintptr(i), 0, 0)
   621  	}
   622  
   623  	// Detach fd 0 from tty
   624  	if sys.Noctty {
   625  		_, _, err1 = RawSyscall(SYS_IOCTL, 0, uintptr(TIOCNOTTY), 0)
   626  		if err1 != 0 {
   627  			goto childerror
   628  		}
   629  	}
   630  
   631  	// Set the controlling TTY to Ctty
   632  	if sys.Setctty {
   633  		_, _, err1 = RawSyscall(SYS_IOCTL, uintptr(sys.Ctty), uintptr(TIOCSCTTY), 1)
   634  		if err1 != 0 {
   635  			goto childerror
   636  		}
   637  	}
   638  
   639  	// Restore original rlimit.
   640  	if rlim != nil {
   641  		// Some other process may have changed our rlimit by
   642  		// calling prlimit. We can check for that case because
   643  		// our current rlimit will not be the value we set when
   644  		// caching the rlimit in the init function in rlimit.go.
   645  		//
   646  		// Note that this test is imperfect, since it won't catch
   647  		// the case in which some other process used prlimit to
   648  		// set our rlimits to max-1/max. In that case we will fall
   649  		// back to the original cur/max when starting the child.
   650  		// We hope that setting to max-1/max is unlikely.
   651  		_, _, err1 = RawSyscall6(SYS_PRLIMIT64, 0, RLIMIT_NOFILE, 0, uintptr(unsafe.Pointer(&lim)), 0, 0)
   652  		if err1 != 0 || (lim.Cur == rlim.Max-1 && lim.Max == rlim.Max) {
   653  			RawSyscall6(SYS_PRLIMIT64, 0, RLIMIT_NOFILE, uintptr(unsafe.Pointer(rlim)), 0, 0, 0)
   654  		}
   655  	}
   656  
   657  	// Enable tracing if requested.
   658  	// Do this right before exec so that we don't unnecessarily trace the runtime
   659  	// setting up after the fork. See issue #21428.
   660  	if sys.Ptrace {
   661  		_, _, err1 = RawSyscall(SYS_PTRACE, uintptr(PTRACE_TRACEME), 0, 0)
   662  		if err1 != 0 {
   663  			goto childerror
   664  		}
   665  	}
   666  
   667  	// Time to exec.
   668  	_, _, err1 = RawSyscall(SYS_EXECVE,
   669  		uintptr(unsafe.Pointer(argv0)),
   670  		uintptr(unsafe.Pointer(&argv[0])),
   671  		uintptr(unsafe.Pointer(&envv[0])))
   672  
   673  childerror:
   674  	// send error code on pipe
   675  	RawSyscall(SYS_WRITE, uintptr(pipe), uintptr(unsafe.Pointer(&err1)), unsafe.Sizeof(err1))
   676  	for {
   677  		RawSyscall(SYS_EXIT, 253, 0, 0)
   678  	}
   679  }
   680  
   681  func formatIDMappings(idMap []SysProcIDMap) []byte {
   682  	var data []byte
   683  	for _, im := range idMap {
   684  		data = append(data, strconv.Itoa(im.ContainerID)+" "+strconv.Itoa(im.HostID)+" "+strconv.Itoa(im.Size)+"\n"...)
   685  	}
   686  	return data
   687  }
   688  
   689  // writeIDMappings writes the user namespace User ID or Group ID mappings to the specified path.
   690  func writeIDMappings(path string, idMap []SysProcIDMap) error {
   691  	fd, err := Open(path, O_RDWR, 0)
   692  	if err != nil {
   693  		return err
   694  	}
   695  
   696  	if _, err := Write(fd, formatIDMappings(idMap)); err != nil {
   697  		Close(fd)
   698  		return err
   699  	}
   700  
   701  	if err := Close(fd); err != nil {
   702  		return err
   703  	}
   704  
   705  	return nil
   706  }
   707  
   708  // writeSetgroups writes to /proc/PID/setgroups "deny" if enable is false
   709  // and "allow" if enable is true.
   710  // This is needed since kernel 3.19, because you can't write gid_map without
   711  // disabling setgroups() system call.
   712  func writeSetgroups(pid int, enable bool) error {
   713  	sgf := "/proc/" + strconv.Itoa(pid) + "/setgroups"
   714  	fd, err := Open(sgf, O_RDWR, 0)
   715  	if err != nil {
   716  		return err
   717  	}
   718  
   719  	var data []byte
   720  	if enable {
   721  		data = []byte("allow")
   722  	} else {
   723  		data = []byte("deny")
   724  	}
   725  
   726  	if _, err := Write(fd, data); err != nil {
   727  		Close(fd)
   728  		return err
   729  	}
   730  
   731  	return Close(fd)
   732  }
   733  
   734  // writeUidGidMappings writes User ID and Group ID mappings for user namespaces
   735  // for a process and it is called from the parent process.
   736  func writeUidGidMappings(pid int, sys *SysProcAttr) error {
   737  	if sys.UidMappings != nil {
   738  		uidf := "/proc/" + strconv.Itoa(pid) + "/uid_map"
   739  		if err := writeIDMappings(uidf, sys.UidMappings); err != nil {
   740  			return err
   741  		}
   742  	}
   743  
   744  	if sys.GidMappings != nil {
   745  		// If the kernel is too old to support /proc/PID/setgroups, writeSetGroups will return ENOENT; this is OK.
   746  		if err := writeSetgroups(pid, sys.GidMappingsEnableSetgroups); err != nil && err != ENOENT {
   747  			return err
   748  		}
   749  		gidf := "/proc/" + strconv.Itoa(pid) + "/gid_map"
   750  		if err := writeIDMappings(gidf, sys.GidMappings); err != nil {
   751  			return err
   752  		}
   753  	}
   754  
   755  	return nil
   756  }
   757  
   758  // forkAndExecFailureCleanup cleans up after an exec failure.
   759  func forkAndExecFailureCleanup(attr *ProcAttr, sys *SysProcAttr) {
   760  	if sys.PidFD != nil && *sys.PidFD != -1 {
   761  		Close(*sys.PidFD)
   762  		*sys.PidFD = -1
   763  	}
   764  }
   765  
   766  // checkClonePidfd verifies that clone(CLONE_PIDFD) works by actually doing a
   767  // clone.
   768  //
   769  //go:linkname os_checkClonePidfd os.checkClonePidfd
   770  func os_checkClonePidfd() error {
   771  	pidfd := int32(-1)
   772  	pid, errno := doCheckClonePidfd(&pidfd)
   773  	if errno != 0 {
   774  		return errno
   775  	}
   776  
   777  	if pidfd == -1 {
   778  		// Bad: CLONE_PIDFD failed to provide a pidfd. Reap the process
   779  		// before returning.
   780  
   781  		var err error
   782  		for {
   783  			var status WaitStatus
   784  			// WCLONE is an untyped constant that sets bit 31, so
   785  			// it cannot convert directly to int on 32-bit
   786  			// GOARCHes. We must convert through another type
   787  			// first.
   788  			flags := uint(WCLONE)
   789  			_, err = Wait4(int(pid), &status, int(flags), nil)
   790  			if err != EINTR {
   791  				break
   792  			}
   793  		}
   794  		if err != nil {
   795  			return err
   796  		}
   797  
   798  		return errpkg.New("clone(CLONE_PIDFD) failed to return pidfd")
   799  	}
   800  
   801  	// Good: CLONE_PIDFD provided a pidfd. Reap the process and close the
   802  	// pidfd.
   803  	defer Close(int(pidfd))
   804  
   805  	// TODO(roland): this is necessary to prevent valgrind from complaining
   806  	// about passing 0x0 to waitid, which is doesn't like. This is clearly not
   807  	// ideal. The structures are copied (mostly) verbatim from syscall/unix,
   808  	// which we obviously cannot import because of an import loop.
   809  
   810  	const is64bit = ^uint(0) >> 63 // 0 for 32-bit hosts, 1 for 64-bit ones.
   811  	type sigInfo struct {
   812  		Signo int32
   813  		_     struct {
   814  			Errno int32
   815  			Code  int32
   816  		} // Two int32 fields, swapped on MIPS.
   817  		_ [is64bit]int32 // Extra padding for 64-bit hosts only.
   818  
   819  		// End of common part. Beginning of signal-specific part.
   820  
   821  		Pid    int32
   822  		Uid    uint32
   823  		Status int32
   824  
   825  		// Pad to 128 bytes.
   826  		_ [128 - (6+is64bit)*4]byte
   827  	}
   828  
   829  	for {
   830  		const _P_PIDFD = 3
   831  		var info sigInfo
   832  		_, _, errno = Syscall6(SYS_WAITID, _P_PIDFD, uintptr(pidfd), uintptr(unsafe.Pointer(&info)), WEXITED|WCLONE, 0, 0)
   833  		if errno != EINTR {
   834  			break
   835  		}
   836  	}
   837  	if errno != 0 {
   838  		return errno
   839  	}
   840  
   841  	return nil
   842  }
   843  
   844  // doCheckClonePidfd implements the actual clone call of os_checkClonePidfd and
   845  // child execution. This is a separate function so we can separate the child's
   846  // and parent's stack frames if we're using vfork.
   847  //
   848  // This is go:noinline because the point is to keep the stack frames of this
   849  // and os_checkClonePidfd separate.
   850  //
   851  //go:noinline
   852  func doCheckClonePidfd(pidfd *int32) (pid uintptr, errno Errno) {
   853  	flags := uintptr(CLONE_VFORK | CLONE_VM | CLONE_PIDFD)
   854  	if runtime.GOARCH == "s390x" {
   855  		// On Linux/s390, the first two arguments of clone(2) are swapped.
   856  		pid, errno = rawVforkSyscall(SYS_CLONE, 0, flags, uintptr(unsafe.Pointer(pidfd)))
   857  	} else {
   858  		pid, errno = rawVforkSyscall(SYS_CLONE, flags, 0, uintptr(unsafe.Pointer(pidfd)))
   859  	}
   860  	if errno != 0 || pid != 0 {
   861  		// If we're in the parent, we must return immediately
   862  		// so we're not in the same stack frame as the child.
   863  		// This can at most use the return PC, which the child
   864  		// will not modify, and the results of
   865  		// rawVforkSyscall, which must have been written after
   866  		// the child was replaced.
   867  		return
   868  	}
   869  
   870  	for {
   871  		RawSyscall(SYS_EXIT_GROUP, 0, 0, 0)
   872  	}
   873  }
   874
View as plain text