go/src/syscall/syscall_linux.go, branch json-isValidNumber

syscall: Faccessat: check for CAP_DAC_OVERRIDE on Linux

2023-02-17T00:06:01Z

CL 416115 added using faccessat2(2) from syscall.Faccessat on Linux (which is the only true way to implement AT_EACCESS flag handing), if available. If not available, it uses some heuristics to mimic the kernel behavior, mostly taken from glibc (see CL 126415). Next, CL 414824 added using the above call (via unix.Eaccess) to exec.LookPath in order to check if the binary can really be executed. As a result, in a very specific scenario, described below, syscall.Faccessat (and thus exec.LookPath) mistakenly tells that the binary can not be executed, while in reality it can be. This makes this bug a regression in Go 1.20. This scenario involves all these conditions: - no faccessat2 support available (i.e. either Linux kernel < 5.8, or a seccomp set up to disable faccessat2); - the current user is not root (i.e. geteuid() != 0); - CAP_DAC_OVERRIDE capability is set for the current process; - the file to be executed does not have executable permission bit set for either the current EUID or EGID; - the file to be executed have at least one executable bit set. Unfortunately, this set of conditions was observed in the wild -- a container run as a non-root user with the binary file owned by root with executable permission set for a user only [1]. Essentially it means it is not as rare as it may seem. Now, CAP_DAC_OVERRIDE essentially makes the kernel bypass most of the checks, so execve(2) and friends work the same was as for root user, i.e. if at least one executable bit it set, the permission to execute is granted (see generic_permission() function in the Linux kernel). Modify the code to check for CAP_DAC_OVERRIDE and mimic the kernel behavior for permission checks. [1] https://github.com/opencontainers/runc/issues/3715 Fixes #58552. Change-Id: I82a7e757ab3fd3d0193690a65c3b48fee46ff067 Reviewed-on: https://go-review.googlesource.com/c/go/+/468735 Reviewed-by: Damien Neil TryBot-Result: Gopher Robot Run-TryBot: Ian Lance Taylor Auto-Submit: Ian Lance Taylor Reviewed-by: Ian Lance Taylor

syscall: don't use faccessat2 on android

2022-12-21T17:14:34Z

The Android seccomp policy does not allow faccessat2, so attempting to use it results in a SIGSYS. Avoid it and go straight to the fallback. Fixes #57393. Change-Id: I8d4e12a6f46cea5642d3b5b5a02c682529882f29 Reviewed-on: https://go-review.googlesource.com/c/go/+/458495 Reviewed-by: Austin Clements TryBot-Result: Gopher Robot Reviewed-by: Changkun Ou Run-TryBot: Michael Pratt

syscall, internal/poll: fall back to accept on linux-arm

2022-12-16T03:40:42Z

Our minimum Linux version is 2.6.32, and the accept4 system call was introduced in 2.6.28, so we use accept4 everywhere. Unfortunately, it turns out that the accept4 system call was only added to linux-arm in 2.6.36, so for linux-arm only we need to try the accept4 system call and then fall back to accept if it doesn't work. The code we use on linux-arm is the code we used in Go 1.17. On non-arm platforms we continue using the simpler code introduced in Go 1.18. Adding accept4 to the ARM Linux kernel was: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=21d93e2e29722d7832f61cc56d73fb953ee6578e Fixes #57333 Change-Id: I6680cb54dd4d3514a6887dda8906e6708c64459d Reviewed-on: https://go-review.googlesource.com/c/go/+/457995 Reviewed-by: Bryan Mills Reviewed-by: Brad Fitzpatrick Reviewed-by: Tobias Klauser Reviewed-by: Ian Lance Taylor Run-TryBot: Ian Lance Taylor Auto-Submit: Ian Lance Taylor TryBot-Result: Gopher Robot

syscall: add CgroupFD support for ForkExec on Linux

2022-09-09T15:34:16Z

Implement CLONE_INTO_CGROUP feature, allowing to put a child in a specified cgroup in a clean and simple way. Note that the feature only works for cgroup v2, and requires Linux kernel 5.7 or newer. Using the feature requires a new syscall, clone3. Currently this is the only reason to use clone3, but the code is structured in a way so that other cases may be easily added in the future. Add a test case. While at it, try to simplify the syscall calling code in forkAndExecInChild1, which became complicated over time because: 1. It was using either rawVforkSyscall or RawSyscall6 depending on whether CLONE_NEWUSER was set. 2. On Linux/s390, the first two arguments to clone(2) system call are swapped (which deserved a mention in Linux ABI hall of shame). It was worked around in rawVforkSyscall on s390, but had to be implemented via a switch/case when using RawSyscall6, making the code less clear. Let's - modify rawVforkSyscall to have two arguments (which is also required for clone3); - remove the arguments workaround from s390 asm, instead implementing arguments swap in the caller (which still looks ugly but at least it's done once and is clearly documented now); - use rawVforkSyscall for all cases (since it is essentially similar to RawSyscall6, except for having less parameters, not returning r2, and saving/restoring the return address before/after syscall on 386 and amd64). Updates #51246. Change-Id: Ifcd418ebead9257177338ffbcccd0bdecb94474e Reviewed-on: https://go-review.googlesource.com/c/go/+/417695 Auto-Submit: Ian Lance Taylor Reviewed-by: Michael Knyszek Reviewed-by: Ian Lance Taylor Run-TryBot: Ian Lance Taylor Run-TryBot: Kirill Kolyshkin TryBot-Result: Gopher Robot

syscall: Faccessat: use faccessat2 on linux

2022-09-01T22:00:28Z

Linux kernel 5.8 added the faccessat2 syscall taking a flags argument. Attempt to use it in Faccessat and fall back to the existing implementation mimicking glibc faccessat. Do not export the new syscall value so we keep syscall API intact. Part of this commit is generated by: GOOS=linux ./mkall.sh -syscalls zsyscall_linux_*.go This is similar to [1] amended by [2]. Required for [3]. [1] https://go-review.googlesource.com/c/sys/+/246537 [2] https://go-review.googlesource.com/c/sys/+/246817 [3] https://go-review.googlesource.com/c/go/+/414824 Co-authored-by: Tobias Klauser Change-Id: Ib7fe5ba853c15d92e869df9a16b56b79b96e43a6 Reviewed-on: https://go-review.googlesource.com/c/go/+/416115 Reviewed-by: Tobias Klauser Reviewed-by: Ian Lance Taylor Reviewed-by: Bryan Mills

syscall: implement EpollCreate using EpollCreate1 on all linux platforms

2022-08-18T16:08:26Z

Most newer architectures (e.g. arm64, riscv64, loong64) don't provide the epoll_create syscall. Some systems (e.g. Android) block it even if it were available. In the kernel, the epoll_create syscall is implemented [1] the same way EpollCreate is implemented in this package for platforms without the epoll_create syscall. The epoll_create1 syscall is available since Linux kernel 2.6.27 and the minimum required kernel version is 2.6.32 since Go 1.18 (see #45964). Thus, avoid the separate wrapper and consistently implement EpollCreate using EpollCreate1. [1] https://elixir.bootlin.com/linux/v5.15-rc1/source/fs/eventpoll.c#L2006 The same change was already done in CL 349809 for golang.org/x/sys/unix. For #45964 Change-Id: I5463b208aa7ae236fa2c175d6d3ec6568f1840b0 Reviewed-on: https://go-review.googlesource.com/c/go/+/411594 Reviewed-by: Bryan Mills Auto-Submit: Tobias Klauser Reviewed-by: Ian Lance Taylor TryBot-Result: Gopher Robot Run-TryBot: Tobias Klauser

all: gofmt main repo

2022-05-19T15:49:05Z

Excluding vendor and testdata. CL 384268 already reformatted most, but these slipped past. The struct in the doc comment in debug/dwarf/type.go was fixed up by hand to indent the first and last lines as well. For #51082. Change-Id: Iad020f83aafd671ff58238fe491907e85923d0c7 Reviewed-on: https://go-review.googlesource.com/c/go/+/407137 Run-TryBot: Russ Cox TryBot-Result: Gopher Robot Auto-Submit: Russ Cox Reviewed-by: Ian Lance Taylor

syscall: add //go:norace to RawSyscall

2022-04-28T16:00:39Z

RawSyscall is used in a variety of rather unsafe conditions, such as after fork in forkAndExecInChild1. Disable race instrumentation to avoid calling TSAN in unsafe conditions. For #51087 Change-Id: I47c35e6f0768c77ddab99010ea0404c45ad2f1da Reviewed-on: https://go-review.googlesource.com/c/go/+/402914 TryBot-Result: Gopher Robot Reviewed-by: Cherry Mui Auto-Submit: Michael Pratt Run-TryBot: Michael Pratt

syscall: define Syscall6 in terms of RawSyscall6 on linux

2022-04-22T19:02:29Z

This is an exact copy of CL 388478 after fixing #52472 in CL 401654. For #51087 For #52472 Change-Id: I6c6bd7ddcab1512c682e6b44f61c7bcde97f5c58 Reviewed-on: https://go-review.googlesource.com/c/go/+/401655 Run-TryBot: Michael Pratt TryBot-Result: Gopher Robot Reviewed-by: Cherry Mui

syscall: define Syscall in terms of RawSyscall on linux

2022-04-21T22:10:49Z

This is a re-do of CL 388477, fixing #52472. It is unsafe to call syscall.RawSyscall from syscall.Syscall with -coverpkg=all and -race. This is because: 1. Coverage adds a sync/atomic call in RawSyscall to increment the coverage counter. 2. Race mode instruments sync/atomic calls with TSAN runtime calls. TSAN eventually calls runtime.racecallbackfunc, which expects getg().m.p != 0, which is no longer true after entersyscall(). cmd/go actually avoids adding coverage instrumention to package runtime in race mode entirely to avoid these kinds of problems. Rather than also excluding all of syscall for this one function, work around by calling RawSyscall6 instead, which avoids coverage instrumention both by being written in assembly and in package runtime/*. For #51087 Fixes #52472 Change-Id: Iaffd27df03753020c4716059a455d6ca7b62f347 Reviewed-on: https://go-review.googlesource.com/c/go/+/401654 Run-TryBot: Michael Pratt TryBot-Result: Gopher Robot Auto-Submit: Michael Pratt Reviewed-by: Cherry Mui