As of Go 1.21 syscall.Setrlimit and syscall.prlimit can affect
starting a new process, by restoring the original NOFILE rlimit.
That is recorded locally in the syscall package, so just always
call the syscall functions.
For golang/go#46279
Change-Id: I2f3dafe5562a7dde1297bad6f5d34a80af5d620b
Reviewed-on: https://go-review.googlesource.com/c/sys/+/476695
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
CL 469835 broke the syscall wrapper generation on linux and freebsd by
generating a wrapper for the inexistent SYS_PTRACE_PTR syscall. The
ptracePtr added by CL 469835 correctly uses SYS_PTRACE, likely because
it was manually edited in that CL. However, the incorrect SYS_PTRACE_PTR
syscall is used when regenerating the syscall wrappers.
Change-Id: I270d66511f926d30a9d347930e977a026e033998
Reviewed-on: https://go-review.googlesource.com/c/sys/+/470175
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
Auto-Submit: Tobias Klauser <tobias.klauser@gmail.com>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
CL 126516 added support for flags argument, implemented in the same way
as glibc does (it tries to guess what the kernel would do).
CL 246537 added using faccess2(2) Linux syscall which supports the flags
directly. For older kernels, though, the syscall is not available, and
the code uses glibc-like fallback.
There is one very specific scenario in which the fallback fails.
The scenario involves all these conditions:
- no faccessat2 support available (i.e. either Linux kernel < 5.8,
or a seccomp set up to disable faccessat2);
- the current user is not root (i.e. geteuid() != 0);
- CAP_DAC_OVERRIDE capability is set for the current process;
- the file to be executed does not have executable permission
bit set for either the current EUID or EGID;
- the file to be executed have at least one executable bit set.
Unfortunately, this set of conditions was observed in the wild -- a
container run as a non-root user with the binary file owned by root with
executable permission set for a user only [1]. Essentially it means it
is not as rare as it may seem.
Now, CAP_DAC_OVERRIDE essentially makes the kernel bypass most of the
checks, so execve(2) and friends work the same was as for root user,
i.e. if at least one executable bit it set, the permission to execute
is granted (see generic_permission() function in the Linux kernel).
Modify the code to check for CAP_DAC_OVERRIDE and mimic the kernel
behavior for permission checks.
This is essentially the same fix as CL 468735 for Go syscall package.
Tested on CentOS 7 with the repro similar to the one from [2].
[1] https://github.com/opencontainers/runc/issues/3715
[2] https://github.com/golang/go/issues/58552#issuecomment-1432505621
Change-Id: I726b6acab6a6e6d0358ef98e6a582b405c347614
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Reviewed-on: https://go-review.googlesource.com/c/sys/+/468877
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
This provides a ClockAdjtime function providing access to the clock_adjtime system call on Linux.
The clock_adjtime system call is like adjtimex, but takes a clockid_t as its first argument.
The unix package already provides Adjtimex and the associated Timex struct; it also provides
the other functions that take a clockid_t (like ClockGettime). ClockAdjtime is an essential
system call for programs that want to use the Linux PTP hardware clock infrastructure (see
https://docs.kernel.org/driver-api/ptp.html).
Fixesgolang/go#57618
Change-Id: I68d022425eb9cd394a204ad7fedab985c0496fee
Reviewed-on: https://go-review.googlesource.com/c/sys/+/463056
Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Add a syscall wrapper for SYS_RT_SIGPROCMASK and export it as
PthreadSigmask. The latter is defined by POSIX and can therefore
be implemented by Darwin, etc. later on.
Follow the approach used by Signalfd of passing _C__NSIG/8 as
sigsetsize. This avoids exporting _C__NSIG and allows the syscall
to work with the current definition of Sigset_t, which doesn't
match the kernel definition of Sigset_t.
Updates golang/go#55349
Change-Id: I49dc93366a7d316d820b0c25ecdef2ebb584634b
Reviewed-on: https://go-review.googlesource.com/c/sys/+/435095
Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
This was originally copied over from package syscall where it was
replaced by internal/itoa in CL 301549.
For golang.org/x/sys/unix we may import strconv, so use strconv.Itoa
instead.
Change-Id: Iac125fbd0f64c385f9f0c02d4a7af762364b67aa
Reviewed-on: https://go-review.googlesource.com/c/sys/+/425304
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Don't shadow the empty var when determining whether to send a single
byte when iovecs are empty but oob is non-empty. This will lead to the
n value correctly being reset to 0 before return.
No test because it's not possible to trigger this case on all platforms,
e.g. darwin where sendmsg with empty buf and non-empty oob returns
EINVAL.
This was introduced by CL 412497 and CL 419396.
Updates golang/go#52885
Change-Id: Iafc5a4b22e10b396ba5f7d4f2ac1c50df195a125
Reviewed-on: https://go-review.googlesource.com/c/sys/+/419914
Auto-Submit: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Florian Lehner <lehner.florian86@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
The Faccessat call checks the user, group, or other permission bits of a
file to see if the calling process can access it. The test to see if the
group permissions should be used was made with the wrong group id, using
the process's group id rather than the file's group id. Fix this to use
the correct group id.
This change only affects Linux versions prior to 5.8. Linux 5.8 added
the faccessat2 system call, which we use in preference to the internal
implementation.
No test since we cannot easily change file permissions when not running
as root and the test is meaningless if running as root.
For golang/go#52313
Change-Id: I6fa64379a50c9380207eab9d095ef7fbd05a2d59
Reviewed-on: https://go-review.googlesource.com/c/sys/+/400074
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Wrap the low-level system calls with a more idiomatic Go API and a set of
constants to indicate which timer should be queried or modified.
man 2 getitimer indicates that these system calls are obsolete as of
POSIX.1-2008, but the code I am working on has not been ported to the modern
timer_gettime(2) and timer_settime(2) APIs as of yet.
Change-Id: I91482e141047846cadf47aa2417b8770955986bf
Reviewed-on: https://go-review.googlesource.com/c/sys/+/384054
Run-TryBot: Matt Layher <mdlayher@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dominik Honnef <dominik@honnef.co>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Trust: Matt Layher <mdlayher@gmail.com>
SYS_ALARM is not defined for arm* or riscv, but is available for all other
Linux GOARCH values. Ian suggested I create a new file with build tags
matching these constraints.
In order to handle special case files such as this one (which don't match the
existing syscall_linux_goarch.go scheme), I've added logic to the Linux build
system which can evaluate the build constraints in a given file to determine
whether that file should be appended to the arguments for a given target.
Change-Id: I0136534522a26a0ce495308f63953546ea6bb8e5
Reviewed-on: https://go-review.googlesource.com/c/sys/+/383734
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Trust: Daniel Martí <mvdan@mvdan.cc>
Generally speaking Go functions make no guarantees
about what has happened to result parameters on error,
and Pipe is no exception: callers should avoid looking at
p if Pipe returns an error.
However, we had a bug in which ForkExec was using the
content of p after a failed Pipe, and others may too.
As a robustness fix, make Pipe avoid writing to p on failure.
windows.Pipe already avoided writing to p on failure.
For golang/go#50057.
Change-Id: I93ed06b06a9981793c119c1d7df689fbe79b4116
Reviewed-on: https://go-review.googlesource.com/c/sys/+/370614
Trust: Russ Cox <rsc@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Android's Bionic libc installs a seccomp filter that allows ppoll but
not poll. This has been fine for arm64, where we already implement poll
in terms of ppoll, but not the other architectures, such as amd64, which
runs on Chromebooks, and currently leads to crashes.
This commit implements poll in terms of ppoll on the remaining
architectures and makes this common code, so that everyone uses the more
modern syscall.
Change-Id: Ic01a32b5abe48ab53a2549f592a41561f1684c30
Reviewed-on: https://go-review.googlesource.com/c/sys/+/352310
Trust: Jason A. Donenfeld <Jason@zx2c4.com>
Trust: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Jason A. Donenfeld <Jason@zx2c4.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Most architectures currently already implement Pipe using the pipe2
syscall. Only 386, amd64, mips{,le}, ppc and sparc64 still use the pipe
syscall. However, some systems (e.g. Android seccomp policies) block
that syscall, see golang/go#40828 for an example.
The pipe2 syscall was added in Linux kernel version 2.6.27. The minimum
required Linux kernel version for Go 1.18 will be changed to 2.6.32
per golang/go#45964 so it is possible to unify the implementation of
Pipe using the pipe2 syscall.
Same as CL 350530 did for package syscall.
For golang/go#45964Fixesgolang/go#40828
Change-Id: I07d84d3ea06a54e37d9ff6b72702fe5d96efef7b
Reviewed-on: https://go-review.googlesource.com/c/sys/+/350549
Trust: Tobias Klauser <tobias.klauser@gmail.com>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Matt Layher <mdlayher@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
There is currently no function to allow for setting repair options for sockets in repair mode.
There are 4 options catered for in the linux implementation.
TCPOPT_WINDOW
TCPOPT_MAXSEG
TCPOPT_SACK_PERMITTED
TCPOPT_TIMESTAMP
Details of the patch to the kernel and the thinking behind it is here https://lwn.net/Articles/495304
Work done in this commit
Included the tcp options type and length for inclusion in the Docker build
Added TCPOPT to the regular expression in mkerrors.sh. There was only TCP_ previously
Add the new function to syscall_unix.go
I have tested locally and verified each option with ss -i
I am not sure whether to commit tests because I don't know if socket creation is possible on the test runs in the offical pipeline.
I did check for existing tests but didn't see any that created sockets, only one that validated a string option.
Fixesgolang/go#46984
Change-Id: Iade0434c05cebf2fbdfb5f04b2a7b51c8b358423
Reviewed-on: https://go-review.googlesource.com/c/sys/+/332709
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
The existing ioctl stubs for all UNIX-like platforms take a value of type
uintptr for the arg parameter. However, arguments which are cast from
unsafe.Pointer to uintptr technically violate the rules for package unsafe.
unsafe only allows a conversion from unsafe.Pointer to uintptr directly
within a call to Syscall.
ioctl is used on all UNIX-like operating systems and each one will have
to be updated accordingly where pointer arguments are passed to system
calls. To remedy this on Linux, we generate a new function called
ioctlPtr which takes a value of type unsafe.Pointer for arg. More
operating systems can be updated in future CLs by folks who have access
to those systems and can run the appropriate code generator.
Updates golang/go#44834
Change-Id: Ia9424be424b3dba91bb44d3a7a12bfb2179f0d86
Reviewed-on: https://go-review.googlesource.com/c/sys/+/340915
Trust: Matt Layher <mdlayher@gmail.com>
Trust: Bryan C. Mills <bcmills@google.com>
Run-TryBot: Matt Layher <mdlayher@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
