exec_linux.go

     1  // Copyright 2011 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  //go:build linux
     6  
     7  package syscall
     8  
     9  import (
    10  	"internal/itoa"
    11  	"runtime"
    12  	"unsafe"
    13  )
    14  
    15  // Linux unshare/clone/clone2/clone3 flags, architecture-independent,
    16  // copied from linux/sched.h.
    17  const (
    18  	CLONE_VM             = 0x00000100 // set if VM shared between processes
    19  	CLONE_FS             = 0x00000200 // set if fs info shared between processes
    20  	CLONE_FILES          = 0x00000400 // set if open files shared between processes
    21  	CLONE_SIGHAND        = 0x00000800 // set if signal handlers and blocked signals shared
    22  	CLONE_PIDFD          = 0x00001000 // set if a pidfd should be placed in parent
    23  	CLONE_PTRACE         = 0x00002000 // set if we want to let tracing continue on the child too
    24  	CLONE_VFORK          = 0x00004000 // set if the parent wants the child to wake it up on mm_release
    25  	CLONE_PARENT         = 0x00008000 // set if we want to have the same parent as the cloner
    26  	CLONE_THREAD         = 0x00010000 // Same thread group?
    27  	CLONE_NEWNS          = 0x00020000 // New mount namespace group
    28  	CLONE_SYSVSEM        = 0x00040000 // share system V SEM_UNDO semantics
    29  	CLONE_SETTLS         = 0x00080000 // create a new TLS for the child
    30  	CLONE_PARENT_SETTID  = 0x00100000 // set the TID in the parent
    31  	CLONE_CHILD_CLEARTID = 0x00200000 // clear the TID in the child
    32  	CLONE_DETACHED       = 0x00400000 // Unused, ignored
    33  	CLONE_UNTRACED       = 0x00800000 // set if the tracing process can't force CLONE_PTRACE on this clone
    34  	CLONE_CHILD_SETTID   = 0x01000000 // set the TID in the child
    35  	CLONE_NEWCGROUP      = 0x02000000 // New cgroup namespace
    36  	CLONE_NEWUTS         = 0x04000000 // New utsname namespace
    37  	CLONE_NEWIPC         = 0x08000000 // New ipc namespace
    38  	CLONE_NEWUSER        = 0x10000000 // New user namespace
    39  	CLONE_NEWPID         = 0x20000000 // New pid namespace
    40  	CLONE_NEWNET         = 0x40000000 // New network namespace
    41  	CLONE_IO             = 0x80000000 // Clone io context
    42  
    43  	// Flags for the clone3() syscall.
    44  
    45  	CLONE_CLEAR_SIGHAND = 0x100000000 // Clear any signal handler and reset to SIG_DFL.
    46  	CLONE_INTO_CGROUP   = 0x200000000 // Clone into a specific cgroup given the right permissions.
    47  
    48  	// Cloning flags intersect with CSIGNAL so can be used with unshare and clone3
    49  	// syscalls only:
    50  
    51  	CLONE_NEWTIME = 0x00000080 // New time namespace
    52  )
    53  
    54  // SysProcIDMap holds Container ID to Host ID mappings used for User Namespaces in Linux.
    55  // See user_namespaces(7).
    56  type SysProcIDMap struct {
    57  	ContainerID int // Container ID.
    58  	HostID      int // Host ID.
    59  	Size        int // Size.
    60  }
    61  
    62  type SysProcAttr struct {
    63  	Chroot     string      // Chroot.
    64  	Credential *Credential // Credential.
    65  	// Ptrace tells the child to call ptrace(PTRACE_TRACEME).
    66  	// Call runtime.LockOSThread before starting a process with this set,
    67  	// and don't call UnlockOSThread until done with PtraceSyscall calls.
    68  	Ptrace bool
    69  	Setsid bool // Create session.
    70  	// Setpgid sets the process group ID of the child to Pgid,
    71  	// or, if Pgid == 0, to the new child's process ID.
    72  	Setpgid bool
    73  	// Setctty sets the controlling terminal of the child to
    74  	// file descriptor Ctty. Ctty must be a descriptor number
    75  	// in the child process: an index into ProcAttr.Files.
    76  	// This is only meaningful if Setsid is true.
    77  	Setctty bool
    78  	Noctty  bool // Detach fd 0 from controlling terminal
    79  	Ctty    int  // Controlling TTY fd
    80  	// Foreground places the child process group in the foreground.
    81  	// This implies Setpgid. The Ctty field must be set to
    82  	// the descriptor of the controlling TTY.
    83  	// Unlike Setctty, in this case Ctty must be a descriptor
    84  	// number in the parent process.
    85  	Foreground bool
    86  	Pgid       int // Child's process group ID if Setpgid.
    87  	// Pdeathsig, if non-zero, is a signal that the kernel will send to
    88  	// the child process when the creating thread dies. Note that the signal
    89  	// is sent on thread termination, which may happen before process termination.
    90  	// There are more details at https://go.dev/issue/27505.
    91  	Pdeathsig    Signal
    92  	Cloneflags   uintptr        // Flags for clone calls (Linux only)
    93  	Unshareflags uintptr        // Flags for unshare calls (Linux only)
    94  	UidMappings  []SysProcIDMap // User ID mappings for user namespaces.
    95  	GidMappings  []SysProcIDMap // Group ID mappings for user namespaces.
    96  	// GidMappingsEnableSetgroups enabling setgroups syscall.
    97  	// If false, then setgroups syscall will be disabled for the child process.
    98  	// This parameter is no-op if GidMappings == nil. Otherwise for unprivileged
    99  	// users this should be set to false for mappings work.
   100  	GidMappingsEnableSetgroups bool
   101  	AmbientCaps                []uintptr // Ambient capabilities (Linux only)
   102  	UseCgroupFD                bool      // Whether to make use of the CgroupFD field.
   103  	CgroupFD                   int       // File descriptor of a cgroup to put the new process into.
   104  }
   105  
   106  var (
   107  	none  = [...]byte{'n', 'o', 'n', 'e', 0}
   108  	slash = [...]byte{'/', 0}
   109  )
   110  
   111  // Implemented in runtime package.
   112  func runtime_BeforeFork()
   113  func runtime_AfterFork()
   114  func runtime_AfterForkInChild()
   115  
   116  // Fork, dup fd onto 0..len(fd), and exec(argv0, argvv, envv) in child.
   117  // If a dup or exec fails, write the errno error to pipe.
   118  // (Pipe is close-on-exec so if exec succeeds, it will be closed.)
   119  // In the child, this function must not acquire any locks, because
   120  // they might have been locked at the time of the fork. This means
   121  // no rescheduling, no malloc calls, and no new stack segments.
   122  // For the same reason compiler does not race instrument it.
   123  // The calls to RawSyscall are okay because they are assembly
   124  // functions that do not grow the stack.
   125  //
   126  //go:norace
   127  func forkAndExecInChild(argv0 *byte, argv, envv []*byte, chroot, dir *byte, attr *ProcAttr, sys *SysProcAttr, pipe int) (pid int, err Errno) {
   128  	// Set up and fork. This returns immediately in the parent or
   129  	// if there's an error.
   130  	upid, err, mapPipe, locked := forkAndExecInChild1(argv0, argv, envv, chroot, dir, attr, sys, pipe)
   131  	if locked {
   132  		runtime_AfterFork()
   133  	}
   134  	if err != 0 {
   135  		return 0, err
   136  	}
   137  
   138  	// parent; return PID
   139  	pid = int(upid)
   140  
   141  	if sys.UidMappings != nil || sys.GidMappings != nil {
   142  		Close(mapPipe[0])
   143  		var err2 Errno
   144  		// uid/gid mappings will be written after fork and unshare(2) for user
   145  		// namespaces.
   146  		if sys.Unshareflags&CLONE_NEWUSER == 0 {
   147  			if err := writeUidGidMappings(pid, sys); err != nil {
   148  				err2 = err.(Errno)
   149  			}
   150  		}
   151  		RawSyscall(SYS_WRITE, uintptr(mapPipe[1]), uintptr(unsafe.Pointer(&err2)), unsafe.Sizeof(err2))
   152  		Close(mapPipe[1])
   153  	}
   154  
   155  	return pid, 0
   156  }
   157  
   158  const _LINUX_CAPABILITY_VERSION_3 = 0x20080522
   159  
   160  type capHeader struct {
   161  	version uint32
   162  	pid     int32
   163  }
   164  
   165  type capData struct {
   166  	effective   uint32
   167  	permitted   uint32
   168  	inheritable uint32
   169  }
   170  type caps struct {
   171  	hdr  capHeader
   172  	data [2]capData
   173  }
   174  
   175  // See CAP_TO_INDEX in linux/capability.h:
   176  func capToIndex(cap uintptr) uintptr { return cap >> 5 }
   177  
   178  // See CAP_TO_MASK in linux/capability.h:
   179  func capToMask(cap uintptr) uint32 { return 1 << uint(cap&31) }
   180  
   181  // cloneArgs holds arguments for clone3 Linux syscall.
   182  type cloneArgs struct {
   183  	flags      uint64 // Flags bit mask
   184  	pidFD      uint64 // Where to store PID file descriptor (int *)
   185  	childTID   uint64 // Where to store child TID, in child's memory (pid_t *)
   186  	parentTID  uint64 // Where to store child TID, in parent's memory (pid_t *)
   187  	exitSignal uint64 // Signal to deliver to parent on child termination
   188  	stack      uint64 // Pointer to lowest byte of stack
   189  	stackSize  uint64 // Size of stack
   190  	tls        uint64 // Location of new TLS
   191  	setTID     uint64 // Pointer to a pid_t array (since Linux 5.5)
   192  	setTIDSize uint64 // Number of elements in set_tid (since Linux 5.5)
   193  	cgroup     uint64 // File descriptor for target cgroup of child (since Linux 5.7)
   194  }
   195  
   196  // forkAndExecInChild1 implements the body of forkAndExecInChild up to
   197  // the parent's post-fork path. This is a separate function so we can
   198  // separate the child's and parent's stack frames if we're using
   199  // vfork.
   200  //
   201  // This is go:noinline because the point is to keep the stack frames
   202  // of this and forkAndExecInChild separate.
   203  //
   204  //go:noinline
   205  //go:norace
   206  //go:nocheckptr
   207  func forkAndExecInChild1(argv0 *byte, argv, envv []*byte, chroot, dir *byte, attr *ProcAttr, sys *SysProcAttr, pipe int) (pid uintptr, err1 Errno, mapPipe [2]int, locked bool) {
   208  	// Defined in linux/prctl.h starting with Linux 4.3.
   209  	const (
   210  		PR_CAP_AMBIENT       = 0x2f
   211  		PR_CAP_AMBIENT_RAISE = 0x2
   212  	)
   213  
   214  	// vfork requires that the child not touch any of the parent's
   215  	// active stack frames. Hence, the child does all post-fork
   216  	// processing in this stack frame and never returns, while the
   217  	// parent returns immediately from this frame and does all
   218  	// post-fork processing in the outer frame.
   219  	//
   220  	// Declare all variables at top in case any
   221  	// declarations require heap allocation (e.g., err2).
   222  	// ":=" should not be used to declare any variable after
   223  	// the call to runtime_BeforeFork.
   224  	//
   225  	// NOTE(bcmills): The allocation behavior described in the above comment
   226  	// seems to lack a corresponding test, and it may be rendered invalid
   227  	// by an otherwise-correct change in the compiler.
   228  	var (
   229  		err2                      Errno
   230  		nextfd                    int
   231  		i                         int
   232  		caps                      caps
   233  		fd1, flags                uintptr
   234  		puid, psetgroups, pgid    []byte
   235  		uidmap, setgroups, gidmap []byte
   236  		clone3                    *cloneArgs
   237  		pgrp                      int32
   238  		dirfd                     int
   239  		cred                      *Credential
   240  		ngroups, groups           uintptr
   241  		c                         uintptr
   242  	)
   243  
   244  	rlim, rlimOK := origRlimitNofile.Load().(Rlimit)
   245  
   246  	if sys.UidMappings != nil {
   247  		puid = []byte("/proc/self/uid_map\000")
   248  		uidmap = formatIDMappings(sys.UidMappings)
   249  	}
   250  
   251  	if sys.GidMappings != nil {
   252  		psetgroups = []byte("/proc/self/setgroups\000")
   253  		pgid = []byte("/proc/self/gid_map\000")
   254  
   255  		if sys.GidMappingsEnableSetgroups {
   256  			setgroups = []byte("allow\000")
   257  		} else {
   258  			setgroups = []byte("deny\000")
   259  		}
   260  		gidmap = formatIDMappings(sys.GidMappings)
   261  	}
   262  
   263  	// Record parent PID so child can test if it has died.
   264  	ppid, _ := rawSyscallNoError(SYS_GETPID, 0, 0, 0)
   265  
   266  	// Guard against side effects of shuffling fds below.
   267  	// Make sure that nextfd is beyond any currently open files so
   268  	// that we can't run the risk of overwriting any of them.
   269  	fd := make([]int, len(attr.Files))
   270  	nextfd = len(attr.Files)
   271  	for i, ufd := range attr.Files {
   272  		if nextfd < int(ufd) {
   273  			nextfd = int(ufd)
   274  		}
   275  		fd[i] = int(ufd)
   276  	}
   277  	nextfd++
   278  
   279  	// Allocate another pipe for parent to child communication for
   280  	// synchronizing writing of User ID/Group ID mappings.
   281  	if sys.UidMappings != nil || sys.GidMappings != nil {
   282  		if err := forkExecPipe(mapPipe[:]); err != nil {
   283  			err1 = err.(Errno)
   284  			return
   285  		}
   286  	}
   287  
   288  	flags = sys.Cloneflags
   289  	if sys.Cloneflags&CLONE_NEWUSER == 0 && sys.Unshareflags&CLONE_NEWUSER == 0 {
   290  		flags |= CLONE_VFORK | CLONE_VM
   291  	}
   292  	// Whether to use clone3.
   293  	if sys.UseCgroupFD {
   294  		clone3 = &cloneArgs{
   295  			flags:      uint64(flags) | CLONE_INTO_CGROUP,
   296  			exitSignal: uint64(SIGCHLD),
   297  			cgroup:     uint64(sys.CgroupFD),
   298  		}
   299  	} else if flags&CLONE_NEWTIME != 0 {
   300  		clone3 = &cloneArgs{
   301  			flags:      uint64(flags),
   302  			exitSignal: uint64(SIGCHLD),
   303  		}
   304  	}
   305  
   306  	// About to call fork.
   307  	// No more allocation or calls of non-assembly functions.
   308  	runtime_BeforeFork()
   309  	locked = true
   310  	if clone3 != nil {
   311  		pid, err1 = rawVforkSyscall(_SYS_clone3, uintptr(unsafe.Pointer(clone3)), unsafe.Sizeof(*clone3))
   312  	} else {
   313  		flags |= uintptr(SIGCHLD)
   314  		if runtime.GOARCH == "s390x" {
   315  			// On Linux/s390, the first two arguments of clone(2) are swapped.
   316  			pid, err1 = rawVforkSyscall(SYS_CLONE, 0, flags)
   317  		} else {
   318  			pid, err1 = rawVforkSyscall(SYS_CLONE, flags, 0)
   319  		}
   320  	}
   321  	if err1 != 0 || pid != 0 {
   322  		// If we're in the parent, we must return immediately
   323  		// so we're not in the same stack frame as the child.
   324  		// This can at most use the return PC, which the child
   325  		// will not modify, and the results of
   326  		// rawVforkSyscall, which must have been written after
   327  		// the child was replaced.
   328  		return
   329  	}
   330  
   331  	// Fork succeeded, now in child.
   332  
   333  	// Enable the "keep capabilities" flag to set ambient capabilities later.
   334  	if len(sys.AmbientCaps) > 0 {
   335  		_, _, err1 = RawSyscall6(SYS_PRCTL, PR_SET_KEEPCAPS, 1, 0, 0, 0, 0)
   336  		if err1 != 0 {
   337  			goto childerror
   338  		}
   339  	}
   340  
   341  	// Wait for User ID/Group ID mappings to be written.
   342  	if sys.UidMappings != nil || sys.GidMappings != nil {
   343  		if _, _, err1 = RawSyscall(SYS_CLOSE, uintptr(mapPipe[1]), 0, 0); err1 != 0 {
   344  			goto childerror
   345  		}
   346  		pid, _, err1 = RawSyscall(SYS_READ, uintptr(mapPipe[0]), uintptr(unsafe.Pointer(&err2)), unsafe.Sizeof(err2))
   347  		if err1 != 0 {
   348  			goto childerror
   349  		}
   350  		if pid != unsafe.Sizeof(err2) {
   351  			err1 = EINVAL
   352  			goto childerror
   353  		}
   354  		if err2 != 0 {
   355  			err1 = err2
   356  			goto childerror
   357  		}
   358  	}
   359  
   360  	// Session ID
   361  	if sys.Setsid {
   362  		_, _, err1 = RawSyscall(SYS_SETSID, 0, 0, 0)
   363  		if err1 != 0 {
   364  			goto childerror
   365  		}
   366  	}
   367  
   368  	// Set process group
   369  	if sys.Setpgid || sys.Foreground {
   370  		// Place child in process group.
   371  		_, _, err1 = RawSyscall(SYS_SETPGID, 0, uintptr(sys.Pgid), 0)
   372  		if err1 != 0 {
   373  			goto childerror
   374  		}
   375  	}
   376  
   377  	if sys.Foreground {
   378  		pgrp = int32(sys.Pgid)
   379  		if pgrp == 0 {
   380  			pid, _ = rawSyscallNoError(SYS_GETPID, 0, 0, 0)
   381  
   382  			pgrp = int32(pid)
   383  		}
   384  
   385  		// Place process group in foreground.
   386  		_, _, err1 = RawSyscall(SYS_IOCTL, uintptr(sys.Ctty), uintptr(TIOCSPGRP), uintptr(unsafe.Pointer(&pgrp)))
   387  		if err1 != 0 {
   388  			goto childerror
   389  		}
   390  	}
   391  
   392  	// Restore the signal mask. We do this after TIOCSPGRP to avoid
   393  	// having the kernel send a SIGTTOU signal to the process group.
   394  	runtime_AfterForkInChild()
   395  
   396  	// Unshare
   397  	if sys.Unshareflags != 0 {
   398  		_, _, err1 = RawSyscall(SYS_UNSHARE, sys.Unshareflags, 0, 0)
   399  		if err1 != 0 {
   400  			goto childerror
   401  		}
   402  
   403  		if sys.Unshareflags&CLONE_NEWUSER != 0 && sys.GidMappings != nil {
   404  			dirfd = int(_AT_FDCWD)
   405  			if fd1, _, err1 = RawSyscall6(SYS_OPENAT, uintptr(dirfd), uintptr(unsafe.Pointer(&psetgroups[0])), uintptr(O_WRONLY), 0, 0, 0); err1 != 0 {
   406  				goto childerror
   407  			}
   408  			pid, _, err1 = RawSyscall(SYS_WRITE, uintptr(fd1), uintptr(unsafe.Pointer(&setgroups[0])), uintptr(len(setgroups)))
   409  			if err1 != 0 {
   410  				goto childerror
   411  			}
   412  			if _, _, err1 = RawSyscall(SYS_CLOSE, uintptr(fd1), 0, 0); err1 != 0 {
   413  				goto childerror
   414  			}
   415  
   416  			if fd1, _, err1 = RawSyscall6(SYS_OPENAT, uintptr(dirfd), uintptr(unsafe.Pointer(&pgid[0])), uintptr(O_WRONLY), 0, 0, 0); err1 != 0 {
   417  				goto childerror
   418  			}
   419  			pid, _, err1 = RawSyscall(SYS_WRITE, uintptr(fd1), uintptr(unsafe.Pointer(&gidmap[0])), uintptr(len(gidmap)))
   420  			if err1 != 0 {
   421  				goto childerror
   422  			}
   423  			if _, _, err1 = RawSyscall(SYS_CLOSE, uintptr(fd1), 0, 0); err1 != 0 {
   424  				goto childerror
   425  			}
   426  		}
   427  
   428  		if sys.Unshareflags&CLONE_NEWUSER != 0 && sys.UidMappings != nil {
   429  			dirfd = int(_AT_FDCWD)
   430  			if fd1, _, err1 = RawSyscall6(SYS_OPENAT, uintptr(dirfd), uintptr(unsafe.Pointer(&puid[0])), uintptr(O_WRONLY), 0, 0, 0); err1 != 0 {
   431  				goto childerror
   432  			}
   433  			pid, _, err1 = RawSyscall(SYS_WRITE, uintptr(fd1), uintptr(unsafe.Pointer(&uidmap[0])), uintptr(len(uidmap)))
   434  			if err1 != 0 {
   435  				goto childerror
   436  			}
   437  			if _, _, err1 = RawSyscall(SYS_CLOSE, uintptr(fd1), 0, 0); err1 != 0 {
   438  				goto childerror
   439  			}
   440  		}
   441  
   442  		// The unshare system call in Linux doesn't unshare mount points
   443  		// mounted with --shared. Systemd mounts / with --shared. For a
   444  		// long discussion of the pros and cons of this see debian bug 739593.
   445  		// The Go model of unsharing is more like Plan 9, where you ask
   446  		// to unshare and the namespaces are unconditionally unshared.
   447  		// To make this model work we must further mark / as MS_PRIVATE.
   448  		// This is what the standard unshare command does.
   449  		if sys.Unshareflags&CLONE_NEWNS == CLONE_NEWNS {
   450  			_, _, err1 = RawSyscall6(SYS_MOUNT, uintptr(unsafe.Pointer(&none[0])), uintptr(unsafe.Pointer(&slash[0])), 0, MS_REC|MS_PRIVATE, 0, 0)
   451  			if err1 != 0 {
   452  				goto childerror
   453  			}
   454  		}
   455  	}
   456  
   457  	// Chroot
   458  	if chroot != nil {
   459  		_, _, err1 = RawSyscall(SYS_CHROOT, uintptr(unsafe.Pointer(chroot)), 0, 0)
   460  		if err1 != 0 {
   461  			goto childerror
   462  		}
   463  	}
   464  
   465  	// User and groups
   466  	if cred = sys.Credential; cred != nil {
   467  		ngroups = uintptr(len(cred.Groups))
   468  		groups = uintptr(0)
   469  		if ngroups > 0 {
   470  			groups = uintptr(unsafe.Pointer(&cred.Groups[0]))
   471  		}
   472  		if !(sys.GidMappings != nil && !sys.GidMappingsEnableSetgroups && ngroups == 0) && !cred.NoSetGroups {
   473  			_, _, err1 = RawSyscall(_SYS_setgroups, ngroups, groups, 0)
   474  			if err1 != 0 {
   475  				goto childerror
   476  			}
   477  		}
   478  		_, _, err1 = RawSyscall(sys_SETGID, uintptr(cred.Gid), 0, 0)
   479  		if err1 != 0 {
   480  			goto childerror
   481  		}
   482  		_, _, err1 = RawSyscall(sys_SETUID, uintptr(cred.Uid), 0, 0)
   483  		if err1 != 0 {
   484  			goto childerror
   485  		}
   486  	}
   487  
   488  	if len(sys.AmbientCaps) != 0 {
   489  		// Ambient capabilities were added in the 4.3 kernel,
   490  		// so it is safe to always use _LINUX_CAPABILITY_VERSION_3.
   491  		caps.hdr.version = _LINUX_CAPABILITY_VERSION_3
   492  
   493  		if _, _, err1 = RawSyscall(SYS_CAPGET, uintptr(unsafe.Pointer(&caps.hdr)), uintptr(unsafe.Pointer(&caps.data[0])), 0); err1 != 0 {
   494  			goto childerror
   495  		}
   496  
   497  		for _, c = range sys.AmbientCaps {
   498  			// Add the c capability to the permitted and inheritable capability mask,
   499  			// otherwise we will not be able to add it to the ambient capability mask.
   500  			caps.data[capToIndex(c)].permitted |= capToMask(c)
   501  			caps.data[capToIndex(c)].inheritable |= capToMask(c)
   502  		}
   503  
   504  		if _, _, err1 = RawSyscall(SYS_CAPSET, uintptr(unsafe.Pointer(&caps.hdr)), uintptr(unsafe.Pointer(&caps.data[0])), 0); err1 != 0 {
   505  			goto childerror
   506  		}
   507  
   508  		for _, c = range sys.AmbientCaps {
   509  			_, _, err1 = RawSyscall6(SYS_PRCTL, PR_CAP_AMBIENT, uintptr(PR_CAP_AMBIENT_RAISE), c, 0, 0, 0)
   510  			if err1 != 0 {
   511  				goto childerror
   512  			}
   513  		}
   514  	}
   515  
   516  	// Chdir
   517  	if dir != nil {
   518  		_, _, err1 = RawSyscall(SYS_CHDIR, uintptr(unsafe.Pointer(dir)), 0, 0)
   519  		if err1 != 0 {
   520  			goto childerror
   521  		}
   522  	}
   523  
   524  	// Parent death signal
   525  	if sys.Pdeathsig != 0 {
   526  		_, _, err1 = RawSyscall6(SYS_PRCTL, PR_SET_PDEATHSIG, uintptr(sys.Pdeathsig), 0, 0, 0, 0)
   527  		if err1 != 0 {
   528  			goto childerror
   529  		}
   530  
   531  		// Signal self if parent is already dead. This might cause a
   532  		// duplicate signal in rare cases, but it won't matter when
   533  		// using SIGKILL.
   534  		pid, _ = rawSyscallNoError(SYS_GETPPID, 0, 0, 0)
   535  		if pid != ppid {
   536  			pid, _ = rawSyscallNoError(SYS_GETPID, 0, 0, 0)
   537  			_, _, err1 = RawSyscall(SYS_KILL, pid, uintptr(sys.Pdeathsig), 0)
   538  			if err1 != 0 {
   539  				goto childerror
   540  			}
   541  		}
   542  	}
   543  
   544  	// Pass 1: look for fd[i] < i and move those up above len(fd)
   545  	// so that pass 2 won't stomp on an fd it needs later.
   546  	if pipe < nextfd {
   547  		_, _, err1 = RawSyscall(SYS_DUP3, uintptr(pipe), uintptr(nextfd), O_CLOEXEC)
   548  		if err1 != 0 {
   549  			goto childerror
   550  		}
   551  		pipe = nextfd
   552  		nextfd++
   553  	}
   554  	for i = 0; i < len(fd); i++ {
   555  		if fd[i] >= 0 && fd[i] < i {
   556  			if nextfd == pipe { // don't stomp on pipe
   557  				nextfd++
   558  			}
   559  			_, _, err1 = RawSyscall(SYS_DUP3, uintptr(fd[i]), uintptr(nextfd), O_CLOEXEC)
   560  			if err1 != 0 {
   561  				goto childerror
   562  			}
   563  			fd[i] = nextfd
   564  			nextfd++
   565  		}
   566  	}
   567  
   568  	// Pass 2: dup fd[i] down onto i.
   569  	for i = 0; i < len(fd); i++ {
   570  		if fd[i] == -1 {
   571  			RawSyscall(SYS_CLOSE, uintptr(i), 0, 0)
   572  			continue
   573  		}
   574  		if fd[i] == i {
   575  			// dup2(i, i) won't clear close-on-exec flag on Linux,
   576  			// probably not elsewhere either.
   577  			_, _, err1 = RawSyscall(fcntl64Syscall, uintptr(fd[i]), F_SETFD, 0)
   578  			if err1 != 0 {
   579  				goto childerror
   580  			}
   581  			continue
   582  		}
   583  		// The new fd is created NOT close-on-exec,
   584  		// which is exactly what we want.
   585  		_, _, err1 = RawSyscall(SYS_DUP3, uintptr(fd[i]), uintptr(i), 0)
   586  		if err1 != 0 {
   587  			goto childerror
   588  		}
   589  	}
   590  
   591  	// By convention, we don't close-on-exec the fds we are
   592  	// started with, so if len(fd) < 3, close 0, 1, 2 as needed.
   593  	// Programs that know they inherit fds >= 3 will need
   594  	// to set them close-on-exec.
   595  	for i = len(fd); i < 3; i++ {
   596  		RawSyscall(SYS_CLOSE, uintptr(i), 0, 0)
   597  	}
   598  
   599  	// Detach fd 0 from tty
   600  	if sys.Noctty {
   601  		_, _, err1 = RawSyscall(SYS_IOCTL, 0, uintptr(TIOCNOTTY), 0)
   602  		if err1 != 0 {
   603  			goto childerror
   604  		}
   605  	}
   606  
   607  	// Set the controlling TTY to Ctty
   608  	if sys.Setctty {
   609  		_, _, err1 = RawSyscall(SYS_IOCTL, uintptr(sys.Ctty), uintptr(TIOCSCTTY), 1)
   610  		if err1 != 0 {
   611  			goto childerror
   612  		}
   613  	}
   614  
   615  	// Restore original rlimit.
   616  	if rlimOK && rlim.Cur != 0 {
   617  		rawSetrlimit(RLIMIT_NOFILE, &rlim)
   618  	}
   619  
   620  	// Enable tracing if requested.
   621  	// Do this right before exec so that we don't unnecessarily trace the runtime
   622  	// setting up after the fork. See issue #21428.
   623  	if sys.Ptrace {
   624  		_, _, err1 = RawSyscall(SYS_PTRACE, uintptr(PTRACE_TRACEME), 0, 0)
   625  		if err1 != 0 {
   626  			goto childerror
   627  		}
   628  	}
   629  
   630  	// Time to exec.
   631  	_, _, err1 = RawSyscall(SYS_EXECVE,
   632  		uintptr(unsafe.Pointer(argv0)),
   633  		uintptr(unsafe.Pointer(&argv[0])),
   634  		uintptr(unsafe.Pointer(&envv[0])))
   635  
   636  childerror:
   637  	// send error code on pipe
   638  	RawSyscall(SYS_WRITE, uintptr(pipe), uintptr(unsafe.Pointer(&err1)), unsafe.Sizeof(err1))
   639  	for {
   640  		RawSyscall(SYS_EXIT, 253, 0, 0)
   641  	}
   642  }
   643  
   644  func formatIDMappings(idMap []SysProcIDMap) []byte {
   645  	var data []byte
   646  	for _, im := range idMap {
   647  		data = append(data, itoa.Itoa(im.ContainerID)+" "+itoa.Itoa(im.HostID)+" "+itoa.Itoa(im.Size)+"\n"...)
   648  	}
   649  	return data
   650  }
   651  
   652  // writeIDMappings writes the user namespace User ID or Group ID mappings to the specified path.
   653  func writeIDMappings(path string, idMap []SysProcIDMap) error {
   654  	fd, err := Open(path, O_RDWR, 0)
   655  	if err != nil {
   656  		return err
   657  	}
   658  
   659  	if _, err := Write(fd, formatIDMappings(idMap)); err != nil {
   660  		Close(fd)
   661  		return err
   662  	}
   663  
   664  	if err := Close(fd); err != nil {
   665  		return err
   666  	}
   667  
   668  	return nil
   669  }
   670  
   671  // writeSetgroups writes to /proc/PID/setgroups "deny" if enable is false
   672  // and "allow" if enable is true.
   673  // This is needed since kernel 3.19, because you can't write gid_map without
   674  // disabling setgroups() system call.
   675  func writeSetgroups(pid int, enable bool) error {
   676  	sgf := "/proc/" + itoa.Itoa(pid) + "/setgroups"
   677  	fd, err := Open(sgf, O_RDWR, 0)
   678  	if err != nil {
   679  		return err
   680  	}
   681  
   682  	var data []byte
   683  	if enable {
   684  		data = []byte("allow")
   685  	} else {
   686  		data = []byte("deny")
   687  	}
   688  
   689  	if _, err := Write(fd, data); err != nil {
   690  		Close(fd)
   691  		return err
   692  	}
   693  
   694  	return Close(fd)
   695  }
   696  
   697  // writeUidGidMappings writes User ID and Group ID mappings for user namespaces
   698  // for a process and it is called from the parent process.
   699  func writeUidGidMappings(pid int, sys *SysProcAttr) error {
   700  	if sys.UidMappings != nil {
   701  		uidf := "/proc/" + itoa.Itoa(pid) + "/uid_map"
   702  		if err := writeIDMappings(uidf, sys.UidMappings); err != nil {
   703  			return err
   704  		}
   705  	}
   706  
   707  	if sys.GidMappings != nil {
   708  		// If the kernel is too old to support /proc/PID/setgroups, writeSetGroups will return ENOENT; this is OK.
   709  		if err := writeSetgroups(pid, sys.GidMappingsEnableSetgroups); err != nil && err != ENOENT {
   710  			return err
   711  		}
   712  		gidf := "/proc/" + itoa.Itoa(pid) + "/gid_map"
   713  		if err := writeIDMappings(gidf, sys.GidMappings); err != nil {
   714  			return err
   715  		}
   716  	}
   717  
   718  	return nil
   719  }
   720
View as plain text