syscall: add support for setns after fork

cpuguy83 · cpuguy83 · commit d2adb915adf2 · 2023-03-14T00:52:58.000Z
This adds a `Namespaces` field to Linux's `SysProcAttr` type.
When set, these namespaces will be entered after fork and before exec.
The format for this is `&lt;ns name&gt;=&lt;path&gt;`, e.g. `mnt=/some/path`.

This allows users to exec a new process in a pre-defined set of
namespaces without having to resort to hacks or re-execs to bootstrap
these namespaces.
diff --git a/src/syscall/exec_linux.go b/src/syscall/exec_linux.go
@@ -7,6 +7,7 @@
 package syscall
 
 import (
+	"internal/bytealg"
 	"internal/itoa"
 	"runtime"
 	"unsafe"
@@ -101,6 +102,13 @@ type SysProcAttr struct {
 	AmbientCaps                []uintptr // Ambient capabilities (Linux only)
 	UseCgroupFD                bool      // Whether to make use of the CgroupFD field.
 	CgroupFD                   int       // File descriptor of a cgroup to put the new process into.
+	// Namespaces to join after fork and before exec.  Namespaces are joined
+	// before any unshare calls. If you are using CloneFlags note that those
+	// flags will be used to do the initial fork, so they occur before joining
+	// these namespaces. It is expected that the caller has sorted the list in
+	// the order they want to join.  It is possible for ordering to affect
+	// permissions to join other namespaces.
+	Namespaces []string
 }
 
 var (
@@ -300,6 +308,49 @@ func forkAndExecInChild1(argv0 *byte, argv, envv []*byte, chroot, dir *byte, att
 		}
 	}
 
+	var (
+		switchNamespaces   []int
+		switchNamespaceFds []int
+	)
+
+	for _, nsSpec := range sys.Namespaces {
+		idx := bytealg.IndexString(nsSpec, "=")
+		if idx <= 0 {
+			err1 = EINVAL
+			return
+		}
+
+		switch nsSpec[:idx] {
+		case "user":
+			switchNamespaces = append(switchNamespaces, CLONE_NEWUSER)
+		case "pid":
+			switchNamespaces = append(switchNamespaces, CLONE_NEWPID)
+		case "net":
+			switchNamespaces = append(switchNamespaces, CLONE_NEWNET)
+		case "ipc":
+			switchNamespaces = append(switchNamespaces, CLONE_NEWIPC)
+		case "uts":
+			switchNamespaces = append(switchNamespaces, CLONE_NEWUTS)
+		case "mount":
+			switchNamespaces = append(switchNamespaces, CLONE_NEWNS)
+		case "cgroup":
+			switchNamespaces = append(switchNamespaces, CLONE_NEWCGROUP)
+		default:
+			err1 = EINVAL
+			return
+		}
+
+		fd, err := Open(nsSpec[idx+1:], O_RDONLY, 0)
+		if err != nil {
+			for _, fd := range switchNamespaceFds {
+				Close(fd)
+			}
+			err1 = err.(Errno)
+			return
+		}
+		switchNamespaceFds = append(switchNamespaceFds, fd)
+	}
+
 	// About to call fork.
 	// No more allocation or calls of non-assembly functions.
 	runtime_BeforeFork()
@@ -316,6 +367,9 @@ func forkAndExecInChild1(argv0 *byte, argv, envv []*byte, chroot, dir *byte, att
 		}
 	}
 	if err1 != 0 || pid != 0 {
+		for _, fd := range switchNamespaceFds {
+			RawSyscall(SYS_CLOSE, uintptr(fd), 0, 0)
+		}
 		// If we're in the parent, we must return immediately
 		// so we're not in the same stack frame as the child.
 		// This can at most use the return PC, which the child
@@ -335,6 +389,18 @@ func forkAndExecInChild1(argv0 *byte, argv, envv []*byte, chroot, dir *byte, att
 		}
 	}
 
+	for i, ns := range switchNamespaces {
+		fd := switchNamespaceFds[i]
+		_, _, err1 = RawSyscall(SYS_SETNS, uintptr(fd), uintptr(ns), 0)
+		if err1 != 0 {
+			goto childerror
+		}
+		_, _, err1 = RawSyscall(SYS_CLOSE, uintptr(fd), 0, 0)
+		if err1 != 0 {
+			goto childerror
+		}
+	}
+
 	// Wait for User ID/Group ID mappings to be written.
 	if sys.UidMappings != nil || sys.GidMappings != nil {
 		if _, _, err1 = RawSyscall(SYS_CLOSE, uintptr(mapPipe[1]), 0, 0); err1 != 0 {
