summaryrefslogtreecommitdiff
path: root/src/syscall/exec_linux_test.go
Commit message (Collapse)AuthorAgeFilesLines
* syscall: relax output check in TestGroupCleanupUserNamespaceBryan C. Mills2022-03-311-16/+9
| | | | | | | | | | | | | | | | | | | | | | | | | “If you have a procedure with ten parameters, you probably missed some.” ― attr. Alan J. Perlis I argue that the same is true for hard-coded special cases. In TestGroupCleanupUserNamespace, instead of a curated list of strings observed in the wild we now check for a prefix, as was done for TestGroupCleanup in CL 24670. Updates #16224. Updates #16303. Updates #19938. Updates #34547. Updates #46752. Fixes #52088. Change-Id: I59c5b0c048113e306996c0f8247e09c714d2423a Reviewed-on: https://go-review.googlesource.com/c/go/+/397316 Trust: Bryan Mills <bcmills@google.com> Run-TryBot: Bryan Mills <bcmills@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
* all: go fix -fix=buildtag std cmd (except for bootstrap deps, vendor)Russ Cox2021-10-281-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | When these packages are released as part of Go 1.18, Go 1.16 will no longer be supported, so we can remove the +build tags in these files. Ran go fix -fix=buildtag std cmd and then reverted the bootstrapDirs as defined in src/cmd/dist/buildtool.go, which need to continue to build with Go 1.4 for now. Also reverted src/vendor and src/cmd/vendor, which will need to be updated in their own repos first. Manual changes in runtime/pprof/mprof_test.go to adjust line numbers. For #41184. Change-Id: Ic0f93f7091295b6abc76ed5cd6e6746e1280861e Reviewed-on: https://go-review.googlesource.com/c/go/+/344955 Trust: Russ Cox <rsc@golang.org> Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Bryan C. Mills <bcmills@google.com>
* all: use bytes.Cut, strings.CutRuss Cox2021-10-061-3/+1
| | | | | | | | | | | | | | | Many uses of Index/IndexByte/IndexRune/Split/SplitN can be written more clearly using the new Cut functions. Do that. Also rewrite to other functions if that's clearer. For #46336. Change-Id: I68d024716ace41a57a8bf74455c62279bde0f448 Reviewed-on: https://go-review.googlesource.com/c/go/+/351711 Trust: Russ Cox <rsc@golang.org> Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
* syscall: remove use of IN_KUBERNETES in testTobias Klauser2021-09-141-16/+0
| | | | | | | | | | | | | | | CL 201737 dropped the use of IN_KUBERNETES in tests, but it looks like it did not catch all occurrences. For #12815 For #34956 Change-Id: I72b89bfb850ba2890e9e6aa39b87167291ab7e9f Reviewed-on: https://go-review.googlesource.com/c/go/+/349789 Trust: Tobias Klauser <tobias.klauser@gmail.com> Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
* syscall: fix TestGroupCleanupUserNamespace test failure on FedoraRahul Bajaj2021-06-161-0/+1
| | | | | | | | | | | | | Fixes #46752 Change-Id: I2eaa9d15fac4e859e18191fcf1372e5be94899df GitHub-Last-Rev: 8a2672d8dc6713ec6cbd207d870e893062c8fe5b GitHub-Pull-Request: golang/go#46753 Reviewed-on: https://go-review.googlesource.com/c/go/+/328109 Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
* all: go fmt std cmd (but revert vendor)Russ Cox2021-02-201-0/+1
| | | | | | | | | | | | | | | | Make all our package sources use Go 1.17 gofmt format (adding //go:build lines). Part of //go:build change (#41184). See https://golang.org/design/draft-gobuild Change-Id: Ia0534360e4957e58cd9a18429c39d0e32a6addb4 Reviewed-on: https://go-review.googlesource.com/c/go/+/294430 Trust: Russ Cox <rsc@golang.org> Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com> Reviewed-by: Ian Lance Taylor <iant@golang.org>
* all: update to use os.ReadFile, os.WriteFile, os.CreateTemp, os.MkdirTempRuss Cox2020-12-091-8/+7
| | | | | | | | | | | | | | | | | | | | | | As part of #42026, these helpers from io/ioutil were moved to os. (ioutil.TempFile and TempDir became os.CreateTemp and MkdirTemp.) Update the Go tree to use the preferred names. As usual, code compiled with the Go 1.4 bootstrap toolchain and code vendored from other sources is excluded. ReadDir changes are in a separate CL, because they are not a simple search and replace. For #42026. Change-Id: If318df0216d57e95ea0c4093b89f65e5b0ababb3 Reviewed-on: https://go-review.googlesource.com/c/go/+/266365 Trust: Russ Cox <rsc@golang.org> Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
* syscall: append to environment in tests, don't clobber itIan Lance Taylor2020-05-111-3/+3
| | | | | | | | | | Fixes https://gcc.gnu.org/PR95061 Change-Id: I3cddfe5920b6da572ddeafa201617003c25175e6 Reviewed-on: https://go-review.googlesource.com/c/go/+/233318 Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
* syscall: remove use of IN_KUBERNETES in test, add a TODO to improve furtherBrad Fitzpatrick2019-10-171-24/+8
| | | | | | | | | | | Updates #34956 Change-Id: I35c39f3afda7226eeae0fd6936f7ee0d5d6c025b Reviewed-on: https://go-review.googlesource.com/c/go/+/201737 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Bryan C. Mills <bcmills@google.com> Reviewed-by: Bryan C. Mills <bcmills@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: fix TestGroupCleanupUserNamespace on CentOSTobias Klauser2019-09-301-0/+1
| | | | | | | | | | | | | | Update the list of expected "id" outputs in TestGroupCleanupUserNamespace with SELinux context information as used on CentOS. Fixes #34547 Change-Id: I426bbe2d04e2039c87490362a1891ec3de6e36e0 Reviewed-on: https://go-review.googlesource.com/c/go/+/197841 Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
* syscall: extend skip criteria for TestAmbientCapsUsernsTobias Klauser2019-09-191-1/+1
| | | | | | | | | | | | | TestAmbientCapsUserns also needs to be skipped, e.g. in case the test is run inside a chroot. Updates #34015 Change-Id: I53913432fe9408217edfe64619adbfd911a51a7a Reviewed-on: https://go-review.googlesource.com/c/go/+/196500 Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: skip TestAmbientCapsUserns if user namespaces are not supportedTobias Klauser2019-09-181-9/+14
| | | | | | | | | | Fixes #34015 Change-Id: I29798fb9c72b6f4bee8aecea96ab13b4cba2e80d Reviewed-on: https://go-review.googlesource.com/c/go/+/195738 Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
* syscall: fix skip condition in skipUnprivilegedUserCloneMeng Zhuo2019-06-061-1/+1
| | | | | | | | | | | | | | | This is a follow up CL of CL 180877: It will skip test create user namespaces under 3 conditions: 1. sysctl file is missing 2. file reads nothing 3. user don't have permission to create namespaces Change-Id: I25f00a6b67213bf98d654972388637789978e1fe Reviewed-on: https://go-review.googlesource.com/c/go/+/180937 Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
* syscall: skip test if unprivileged_userns_clone sysctl is missingMeng Zhuo2019-06-061-10/+11
| | | | | | | | | | | | | | The original test (CL 166460) didn't check the existence of /proc/sys/kernel/unprivileged_userns_clone and continue the test if the file doesn't exist. Fixes #32459 Change-Id: Iab4938252fcaded32b61e17edf68f966c2565582 Reviewed-on: https://go-review.googlesource.com/c/go/+/180877 Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
* syscall: correctly set up uid/gid mappings in user namespacesMichael Stapelberg2019-03-121-0/+43
| | | | | | | | | | | | | | | | | Before this CL, uid/gid mapping was always set up from the parent process, which is a privileged operation. When using unprivileged user namespaces, a process can modify its uid/gid mapping after the unshare(2) call (but setting the uid/gid mapping from another process is NOT possible). Fixes #29789 Change-Id: I8c96a03f5da23fe80bbb83ef051ad89cf185d750 Reviewed-on: https://go-review.googlesource.com/c/go/+/158298 Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
* syscall: skip non-root user namespace test if kernel forbidsAlberto Donizetti2019-03-101-0/+7
| | | | | | | | | | | | | | | | | | | | | | The unprivileged_userns_clone sysctl prevents unpriviledged users from creating namespaces, which the AmbientCaps test does. It's set to 0 by default in a few Linux distributions (Debian and Arch, possibly others), so we need to check it before running the test. I've verified that setting echo 1 > /proc/sys/kernel/unprivileged_userns_clone and then running the test *without this patch* makes it pass, which proves that checking unprivileged_userns_clone is indeed sufficient. Fixes #30698 Change-Id: Ib2079b5e714d7f2440ddf979c3e7cfda9a9c5005 Reviewed-on: https://go-review.googlesource.com/c/go/+/166460 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: add all ambient capabilities into permitted and inheritable setsAndrei Vagin2019-03-081-17/+39
| | | | | | | | | | | | | | | | | | | | | | According to the prctl man page, each capability from the ambient set must already be present in both the permitted and the inheritable sets of the process. exec_linux_test suggests configuring the capabilities in the parent process. This doesn't look nice, because: * Capabilities are a per-thread attribute, so we need to use LockOSThread. * Need to restore capabilities after creating a process. * Doesn't work with user namespaces, because a process gets capabilities when a namespace is created. Fixes #23152 Change-Id: Iba23e530fc7b9f5182d602fe855f82218f354219 Reviewed-on: https://go-review.googlesource.com/c/go/+/156577 Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
* syscall: skip an unsupported test case on androidBen Shi2018-08-291-0/+6
| | | | | | | | | | | | Lookup is not supported on android, and the test syscall/exec_linux_test.go which relies on it will fail on android/arm64. Fixes #27327 Change-Id: I6fdb8992d4634ac7e3689360ff114e9431b5e90c Reviewed-on: https://go-review.googlesource.com/131995 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
* syscall: update check for UserNS support for CentOS 7.5+EduRam2018-07-181-0/+9
| | | | | | | | | | Fixes #26385 Change-Id: I5594564f42898a71d30531e5132bddb3a6915247 GitHub-Last-Rev: fbd7b38b0419e21ecd22fe802ede5c0ee3f14a9a GitHub-Pull-Request: golang/go#26427 Reviewed-on: https://go-review.googlesource.com/124555 Reviewed-by: Ian Lance Taylor <iant@golang.org>
* syscall: fix TestCloneNEWUSERAndRemapRootEnableSetgroups on linuxHiroshi Ioka2017-09-101-1/+1
| | | | | | | | | | | Despite its name, it did the same thing as TestCloneNEWUSERAndRemapRootDisableSetgroups in old code. So fix it. Change-Id: I21265e539179c51980e16f07a553a9bf5bb7903f Reviewed-on: https://go-review.googlesource.com/35273 Run-TryBot: David Crawshaw <crawshaw@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: David Crawshaw <crawshaw@golang.org>
* syscall: skip some exec tests in containerAlexander Morozov2017-08-231-0/+23
| | | | | | | | | | | | | | | For those tests there won't be enough permissions in containers. I decided to go this way instead of just skipping os.IsPermission errors because many of those tests were specifically written to check false positive permission errors. Fixes #21379 Change-Id: Ie25e1d6d47f85bb6b570352638440f3ac1e18e03 Reviewed-on: https://go-review.googlesource.com/58170 Reviewed-by: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: update check for UserNS support for centos 7Jess Frazelle2017-07-171-0/+8
| | | | | | | | | | | Fixes #20796 Fixes #16283 Change-Id: Ib11992fbd2bc1fbb3b14ae5a6bf0da2e4c12f641 Reviewed-on: https://go-review.googlesource.com/49311 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: skip TestUnshare on Linux upon permission errorBrad Fitzpatrick2017-07-141-0/+6
| | | | | | | | | | Fixes #17206 Change-Id: Id0ebc3a55ea1c5f52608decffee04c8398a8774b Reviewed-on: https://go-review.googlesource.com/48571 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
* syscall: use correct go binary in testBrad Fitzpatrick2017-07-121-1/+2
| | | | | | | | | | | | | Usually this test is skipped (on builders and when not root), so people are unlikely to see this error. Updates #19296 Change-Id: I3acb81260034dad8776c305f83d7cbac4b718e75 Reviewed-on: https://go-review.googlesource.com/48191 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
* syscall: add AmbientCaps to linux SysProcAttrMichael Stapelberg2017-06-281-0/+159
| | | | | | | | Fixes #19713 Change-Id: Id1ca61b35bca2a4bea23dd64c7fb001a3a14fd88 Reviewed-on: https://go-review.googlesource.com/43512 Reviewed-by: Ian Lance Taylor <iant@golang.org>
* syscall: fix ordering of Unshare and chroot on LinuxRonald G. Minnich2017-04-251-1/+63
| | | | | | | | | | | | | | | | | | | | | When unshare specifies a new namespace, the syscall package changes / to make namespace changes private. If a chroot is specified, the unshare must be done first. If the chroot is done first then the unshare will not specify the correct /. A new test is included which test combining chroot and CLONE_NEWNS; it fails without the patch and works with it. Fixes #20103 Change-Id: I86022803c784bd418a30383321f3d64103d95c62 Reviewed-on: https://go-review.googlesource.com/41626 Reviewed-by: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: fix TestGroupCleanup{UserNamespace} on AlpineJess Frazelle2017-04-131-1/+3
| | | | | | | | | | | | | | This updates TestGroupCleanup and TestGroupCleanupUserNamespace to pass in the Alpine builder. Updates #19938 Change-Id: Iacbfd73782eccd57f872f9e85726c6024529c277 Reviewed-on: https://go-review.googlesource.com/40692 Reviewed-by: Daniel Martí <mvdan@mvdan.cc> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Daniel Martí <mvdan@mvdan.cc> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: skip test on TestUnshareMountNameSpace permission errorBrad Fitzpatrick2017-03-311-1/+4
| | | | | | | | | | | | | | | | TestUnshareMountNameSpace fails on arm64 due to permission problems. Skip that test for now when permission problems are encountered, so we don't regress elsewhere in the meantime. Updates #19698 Change-Id: I9058928afa474b813652c9489f343b8957160a6c Reviewed-on: https://go-review.googlesource.com/39052 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-by: Josh Bleecher Snyder <josharian@gmail.com>
* os/exec: handle Unshareflags with CLONE_NEWNSRonald G. Minnich2017-03-231-0/+62
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In some newer Linux distros, systemd forces all mount namespaces to be shared, starting at /. This disables the CLONE_NEWNS flag in unshare(2) and clone(2). While this problem is most commonly seen on systems with systemd, it can happen anywhere, due to how Linux namespaces now work. Hence, to create a private mount namespace, it is not sufficient to just set CLONE_NEWS; you have to call mount(2) to change the behavior of namespaces, i.e. mount("none", "/", NULL, MS_REC|MS_PRIVATE, NULL) This is tested and working and we can now correctly start child process with private namespaces on Linux distros that use systemd. The new test works correctly on Ubuntu 16.04.2 LTS. It fails if I comment out the new Mount, and succeeds otherwise. In each case it correctly cleans up after itself. Fixes #19661 Change-Id: I52240b59628e3772b529d9bbef7166606b0c157d Reviewed-on: https://go-review.googlesource.com/38471 Reviewed-by: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: relax TestUnshareQuentin Smith2016-10-051-2/+8
| | | | | | | | | | | | | | | | | Fixes #17224. Some systems have more than just "lo" in a fresh network namespace, due to IPv6. Instead of testing for exactly 3 lines of output (implying 1 interface), just test to make sure that the unshare call resulted in fewer interfaces than before. This should still verify that unshare did something. Change-Id: Iaf84c2b0e673fc207059d62e2f4dd7583a753419 Reviewed-on: https://go-review.googlesource.com/30372 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jessica Frazelle <me@jessfraz.com> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: add another output for TestGroupCleanupUserNamespaceIan Lance Taylor2016-07-081-0/+1
| | | | | | | | | | Fixes #16303. Change-Id: I2832477ce0117a66da53ca1f198ebb6121953d56 Reviewed-on: https://go-review.googlesource.com/24833 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: accept more variants of id output when testing as rootIan Lance Taylor2016-06-301-7/+16
| | | | | | | | | | | | | This should fix the report at #16224, and also fixes running the test as root on my Ubuntu Trusty system. Fixes #16224. Change-Id: I4e3b5527aa63366afb33a7e30efab088d34fb302 Reviewed-on: https://go-review.googlesource.com/24670 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: skip TestUnshare if kernel does not support net namespaceCherry Zhang2016-06-151-0/+6
| | | | | | | | | | Fixes #16056. Change-Id: Ic3343914742713851b8ae969b101521f25e85e7b Reviewed-on: https://go-review.googlesource.com/24132 Reviewed-by: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: deflake TestUnshareMikio Hara2016-06-021-1/+12
| | | | | | | | Change-Id: I21a08c2ff5ebb74e158723cca323574432870ba8 Reviewed-on: https://go-review.googlesource.com/23662 Run-TryBot: Mikio Hara <mikioh.mikioh@gmail.com> Reviewed-by: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: call setgroups for no groups on GNU/LinuxAlexander Morozov2016-06-021-1/+60
| | | | | | | | | | | | | | Skip setgroups only for one particular case: GidMappings != nil and GidMappingsEnableSetgroup == false and list of supplementary groups is empty. This patch returns pre-1.5 behavior for simple exec and still allows to use GidMappings with non-empty Credential. Change-Id: Ia91c77e76ec5efab7a7f78134ffb529910108fc1 Reviewed-on: https://go-review.googlesource.com/23524 Reviewed-by: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: rename SysProcAttr.Unshare to UnshareflagsAlexander Morozov2016-06-011-1/+1
| | | | | | | | | | | | For symmetry with Cloneflags and it looks slightly weird because there is syscall.Unshare method. Change-Id: I3d710177ca8f27c05b344407f212cbbe3435094b Reviewed-on: https://go-review.googlesource.com/23612 Reviewed-by: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Rob Pike <r@golang.org>
* syscall: fix unshare test on mipsJess Frazelle2016-05-201-4/+4
| | | | | | | | | | Change-Id: Iedce3770a92112802f3a45c7b95ee145ab5b187e Reviewed-on: https://go-review.googlesource.com/23282 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org>
* syscall: add Unshare flags to SysProcAttr on LinuxJess Frazelle2016-05-201-0/+36
| | | | | | | | | | | | This patch adds Unshare flags to SysProcAttr for Linux systems. Fixes #1954 Change-Id: Id819c3f92b1474e5a06dd8d55f89d74a43eb770c Reviewed-on: https://go-review.googlesource.com/23233 Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
* os, syscall: skip tests when environment doesn't permit testingBrad Fitzpatrick2016-03-071-0/+3
| | | | | | | | | | Fixes #14693 Change-Id: Id0a6a80b4c37c0b0f1c2755667b7233ed8964e40 Reviewed-on: https://go-review.googlesource.com/20342 Reviewed-by: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: skip tests that create a user namespace when chrootedMichael Hudson-Doyle2015-11-251-0/+17
| | | | | | | | | The kernel rejects attempts to create user namespaces when in a chroot. Change-Id: I6548302732c8f5be52f4167cd7233aea16839ad8 Reviewed-on: https://go-review.googlesource.com/17214 Reviewed-by: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: skip a couple tests when running under KubernetesBrad Fitzpatrick2015-10-021-0/+7
| | | | | | | | | | Update #12815 Change-Id: I3bf6de74bc8ab07000fe9a4308299839ef20632f Reviewed-on: https://go-review.googlesource.com/15283 Reviewed-by: Evan Brown <evanbrown@google.com> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
* syscall: remove unused kernelVersion function from testsAlexander Morozov2015-08-311-18/+0
| | | | | | | | Change-Id: If0d00999c58f7421e4da06e1822ba5abccf72cac Reviewed-on: https://go-review.googlesource.com/14111 Reviewed-by: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: move check of unprivileged_userns_clone to whoamiCmdAlexander Morozov2015-08-311-8/+7
| | | | | | | | | | | | This is basic validation and should be performed early Fixes #12412 Change-Id: I903f7eeafdc22376704985a53d649698cf9d8ef4 Reviewed-on: https://go-review.googlesource.com/14110 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: don't call Setgroups if Credential.Groups is emptyAlexander Morozov2015-08-271-0/+8
| | | | | | | | | | | | | Setgroups with zero-length groups is no-op for changing groups and supposed to be used only for determining curent groups length. Also because we deny setgroups by default if use GidMappings we have unnecessary error from that no-op syscall. Change-Id: I8f74fbca9190a3dcbbef1d886c518e01fa05eb62 Reviewed-on: https://go-review.googlesource.com/13938 Reviewed-by: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
* syscall: skip non-root user namespace test if kernel forbidsIan Lance Taylor2015-06-201-1/+9
| | | | | | | | | | | | Some Linux kernels apparently have a sysctl that prohibits nonprivileged processes from creating user namespaces. If we see a failure for that reason, skip the test. Fixes #11261. Change-Id: I82dfcaf475eea4eaa387941373ce7165df4848ad Reviewed-on: https://go-review.googlesource.com/11269 Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com>
* syscall: fix TestCloneNEWUSERAndRemapNoRootDisableSetgroups the right wayIan Lance Taylor2015-06-151-15/+8
| | | | | | | | | | | | | The problem was not the kernel version as I thought before, it was that the test used the same number for both the UID and the GID. Thanks to Chris Siebenmann for debugging this. Fixes #11220. Change-Id: Ib5077e182497155e84044683209590ee0f7c9dde Reviewed-on: https://go-review.googlesource.com/11124 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Austin Clements <austin@google.com>
* syscall: skip TestCloneNEWUSERAndRemapNoRootDisableSetgroups before 3.19Ian Lance Taylor2015-06-141-0/+26
| | | | | | | | | The test fails on Ubuntu Trusty for some reason, probably because of some set of kernel patches. Change-Id: I52f7ca50b96fea5725817c9e9198860d419f9313 Reviewed-on: https://go-review.googlesource.com/11055 Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com>
* syscall: add GidMappingsEnableSetgroups to Linux SysProcAttrAlexander Morozov2015-06-121-0/+84
Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to address a security issue. The upshot of the 3.19 changes is that in order to update the 'gid_maps' file, use of the setgroups() system call in this user namespace must first be disabled by writing "deny" to one of the /proc/PID/setgroups files for this namespace. Also added tests for remapping uid_map and gid_map inside new user namespace. Fixes #10626 Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7 Reviewed-on: https://go-review.googlesource.com/10670 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
View Lorry Controller Status