-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
os: TestChown and friends fail in a user namespace #42525
Comments
For the reference
Worked it around with the following patch: From: Kirill Smelkov <[email protected]>
Date: Mon, 6 Dec 2021 22:50:27 +0300
Subject: [PATCH] syscall: tests: Fix TestSCMCredentials for `unshare -Umc`
---
src/syscall/creds_test.go | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/syscall/creds_test.go b/src/syscall/creds_test.go
index c1a8b516e8..ed6e80c0c3 100644
--- a/src/syscall/creds_test.go
+++ b/src/syscall/creds_test.go
@@ -78,8 +78,10 @@ func TestSCMCredentials(t *testing.T) {
if sys, ok := err.(*os.SyscallError); ok {
err = sys.Err
}
- if err != syscall.EPERM {
- t.Fatalf("WriteMsgUnix failed with %v, want EPERM", err)
+ // can get EINVAL instead of EPERM under `unshare -Umc` because uid0 is not mapped and maps to -1
+ // see also https://github.com/golang/go/issues/42525
+ if !(err == syscall.EPERM || err == syscall.EINVAL) {
+ t.Fatalf("WriteMsgUnix failed with %v, want EPERM/EINVAL", err)
}
}
--
2.30.2 |
If we enter user namespace via regular unshare without help from SUID newuidmap/newgidmap, all supplementary groups are mapped to -1. As the result when Go test tries to chown to a supplementary group, it gets EINVAL: golang/go#42525 -> work it around with patch to skip this chown tests. A more proper, longer-term fix would be to fix Linux kernel to allow writes to /proc/self/gid_map to setup mapping not only to original gid, but to all original supplementary groups as well here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/user_namespace.c?id=v5.16-rc4-0-g0fcfb00b28c0#n1143 this fix, even if accepted by upstream, would be long to be waited for to propagate to distribution kernels that we currently use. So we go with this workaround for now. -------- Another patch is to fix the following TestSCMCredentials failure: === RUN TestSCMCredentials creds_test.go:81: WriteMsgUnix failed with invalid argument, want EPERM --- FAIL: TestSCMCredentials (0.00s) There the code tries to send uid0/gid0 credentials from non-zero uid and expects EPERM reject from kernel. However under `unshare -Umc` uid0/gid0 are not mapped to anywhere and so implicitly map to -1 and are rejected with EINVAL by the kernel. /reviewed-by @jerome /reviewed-on https://lab.nexedi.com/nexedi/slapos/merge_requests/1095
Workaround for <golang/go#42525> (Also related to <NixOS/nix#3245>)
Workaround for <golang/go#42525> (Also related to <NixOS/nix#3245>)
Workaround for <golang/go#42525> (Also related to <NixOS/nix#3245>)
Workaround for <golang/go#42525> (Also related to <NixOS/nix#3245>) (cherry picked from commit af3cd7c)
Workaround for <golang/go#42525> (Also related to <NixOS/nix#3245>) (cherry picked from commit a66d9c8)
Workaround for <golang/go#42525> (Also related to <NixOS/nix#3245>)
Workaround for <golang/go#42525> (Also related to <NixOS/nix#3245>)
Also for the reference: this has been applied/fixed upstream with f839aaa (included in go >= 1.19). |
Change https://go.dev/cl/520055 mentions this issue: |
I believe this is fixed by https://go.dev/cl/520055. |
Go1.21 already has the fifth minor revision (released 2023-12-05) and should therefore already be sufficiently stable. Furthermore we need it to fix a bug in a NEO/go dependency [1]. Please find all details in the official release note: https://go.dev/doc/go1.21 It was released on 2023-08-08 [2]. Due to the go promise of compatibility most software should still compile without any problems. In golang < 1.21 we needed to patch golang to fix golang/go#42525. In golang 1.21 we still need to apply a fix, but can't apply the old patch because the code changed. In golang > 1.21 this problem is already fixed with https://go-review.googlesource.com/c/go/+/520055. Because of golang/go@0926714 'TestUnshareMountNameSpace' fails on golang 1.21 [3]. In golang 1.20 this test was skipped [4]. To fix this failure the additional patch 'skip-unshare-mount-test.patch' has been added. --- [1] https://lab.nexedi.com/nexedi/wendelin.core/merge_requests/22#note_195769] [2] https://go.dev/doc/devel/release [3] --- FAIL: TestUnshareMountNameSpace (0.18s) exec_linux_test.go:243: unshare failed: exit status 2 unshare: mount /tmp/TestUnshareMountNameSpace2210137852/001 failed: 0x1 [4] === RUN TestUnshareMountNameSpace exec_linux_test.go:333: kernel prohibits unshare in unprivileged process, unless using user namespace — SKIP: TestUnshareMountNameSpace (0.00s) /reviewed-by @kirr and @jerome /reviewed-on https://lab.nexedi.com/nexedi/slapos/merge_requests/1494
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes, this is not a new issue.
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
What did you expect to see?
All tests pass.
What did you see instead?
These tests call Getgroups and then tries to chown files to all of those groups.
However, if the test is running in a user namespace (e.g., restricted CI environment), some of the groups may be OVERFLOWGID (65534) which is not a valid gid to use in chown, thus making the test fail.
The text was updated successfully, but these errors were encountered: