| Age | Commit message (Collapse) | Author |
|---|
|
Fixes #16056.
Change-Id: Ic3343914742713851b8ae969b101521f25e85e7b
Reviewed-on: https://go-review.googlesource.com/24132
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
|
|
Change-Id: I21a08c2ff5ebb74e158723cca323574432870ba8
Reviewed-on: https://go-review.googlesource.com/23662
Run-TryBot: Mikio Hara <mikioh.mikioh@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
|
|
Skip setgroups only for one particular case: GidMappings != nil and
GidMappingsEnableSetgroup == false and list of supplementary groups is
empty.
This patch returns pre-1.5 behavior for simple exec and still allows to
use GidMappings with non-empty Credential.
Change-Id: Ia91c77e76ec5efab7a7f78134ffb529910108fc1
Reviewed-on: https://go-review.googlesource.com/23524
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
|
|
For symmetry with Cloneflags and it looks slightly weird because there
is syscall.Unshare method.
Change-Id: I3d710177ca8f27c05b344407f212cbbe3435094b
Reviewed-on: https://go-review.googlesource.com/23612
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Rob Pike <r@golang.org>
|
|
Change-Id: Iedce3770a92112802f3a45c7b95ee145ab5b187e
Reviewed-on: https://go-review.googlesource.com/23282
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
|
|
This patch adds Unshare flags to SysProcAttr for Linux systems.
Fixes #1954
Change-Id: Id819c3f92b1474e5a06dd8d55f89d74a43eb770c
Reviewed-on: https://go-review.googlesource.com/23233
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
|
Fixes #14693
Change-Id: Id0a6a80b4c37c0b0f1c2755667b7233ed8964e40
Reviewed-on: https://go-review.googlesource.com/20342
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
|
|
The kernel rejects attempts to create user namespaces when in a chroot.
Change-Id: I6548302732c8f5be52f4167cd7233aea16839ad8
Reviewed-on: https://go-review.googlesource.com/17214
Reviewed-by: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
|
|
Update #12815
Change-Id: I3bf6de74bc8ab07000fe9a4308299839ef20632f
Reviewed-on: https://go-review.googlesource.com/15283
Reviewed-by: Evan Brown <evanbrown@google.com>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
|
Change-Id: If0d00999c58f7421e4da06e1822ba5abccf72cac
Reviewed-on: https://go-review.googlesource.com/14111
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
|
|
This is basic validation and should be performed early
Fixes #12412
Change-Id: I903f7eeafdc22376704985a53d649698cf9d8ef4
Reviewed-on: https://go-review.googlesource.com/14110
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
|
|
Setgroups with zero-length groups is no-op for changing groups and
supposed to be used only for determining curent groups length. Also
because we deny setgroups by default if use GidMappings we have
unnecessary error from that no-op syscall.
Change-Id: I8f74fbca9190a3dcbbef1d886c518e01fa05eb62
Reviewed-on: https://go-review.googlesource.com/13938
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
|
|
Some Linux kernels apparently have a sysctl that prohibits
nonprivileged processes from creating user namespaces. If we see a
failure for that reason, skip the test.
Fixes #11261.
Change-Id: I82dfcaf475eea4eaa387941373ce7165df4848ad
Reviewed-on: https://go-review.googlesource.com/11269
Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com>
|
|
The problem was not the kernel version as I thought before, it was
that the test used the same number for both the UID and the GID.
Thanks to Chris Siebenmann for debugging this.
Fixes #11220.
Change-Id: Ib5077e182497155e84044683209590ee0f7c9dde
Reviewed-on: https://go-review.googlesource.com/11124
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Austin Clements <austin@google.com>
|
|
The test fails on Ubuntu Trusty for some reason, probably because of
some set of kernel patches.
Change-Id: I52f7ca50b96fea5725817c9e9198860d419f9313
Reviewed-on: https://go-review.googlesource.com/11055
Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com>
|
|
Linux 3.19 made a change in the handling of setgroups and the 'gid_map' file to
address a security issue.
The upshot of the 3.19 changes is that in order to update the 'gid_maps' file,
use of the setgroups() system call in this user namespace must first be disabled
by writing "deny" to one of the /proc/PID/setgroups files for this namespace.
Also added tests for remapping uid_map and gid_map inside new user
namespace.
Fixes #10626
Change-Id: I4d2539acbab741a37092d277e10f31fc39a8feb7
Reviewed-on: https://go-review.googlesource.com/10670
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
