Beispiel #1
0
func setupEnv(u *user.User) (err error) {
	var (
		uid int
		gid int
	)
	if uid, err = strconv.Atoi(u.Uid); err != nil {
		return
	}
	if gid, err = strconv.Atoi(u.Gid); err != nil {
		return
	}
	//if err = syscall.Setgroups([]int{gid}); err != nil {
	//	return
	//}
	_, _, e1 := syscall.RawSyscall(syscall.SYS_SETGID, uintptr(gid), 0, 0)
	if e1 != 0 {
		err = e1
		return
	}
	_, _, e1 = syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0)
	if e1 != 0 {
		err = e1
		return
	}
	os.Setenv("USER", u.Username)
	os.Setenv("HOME", u.HomeDir)
	os.Setenv("UID", u.Uid)
	return nil
}
Beispiel #2
0
// New returns a new SysInfo, using the filesystem to detect which features
// the kernel supports. If `quiet` is `false` warnings are printed in logs
// whenever an error occurs or misconfigurations are present.
func New(quiet bool) *SysInfo {
	sysInfo := &SysInfo{}
	cgMounts, err := findCgroupMountpoints()
	if err != nil {
		logrus.Warnf("Failed to parse cgroup information: %v", err)
	} else {
		sysInfo.cgroupMemInfo = checkCgroupMem(cgMounts, quiet)
		sysInfo.cgroupCPUInfo = checkCgroupCPU(cgMounts, quiet)
		sysInfo.cgroupBlkioInfo = checkCgroupBlkioInfo(cgMounts, quiet)
		sysInfo.cgroupCpusetInfo = checkCgroupCpusetInfo(cgMounts, quiet)
		sysInfo.cgroupPids = checkCgroupPids(quiet)
	}

	_, ok := cgMounts["devices"]
	sysInfo.CgroupDevicesEnabled = ok

	sysInfo.IPv4ForwardingDisabled = !readProcBool("/proc/sys/net/ipv4/ip_forward")
	sysInfo.BridgeNFCallIPTablesDisabled = !readProcBool("/proc/sys/net/bridge/bridge-nf-call-iptables")
	sysInfo.BridgeNFCallIP6TablesDisabled = !readProcBool("/proc/sys/net/bridge/bridge-nf-call-ip6tables")

	// Check if AppArmor is supported.
	if _, err := os.Stat("/sys/kernel/security/apparmor"); !os.IsNotExist(err) {
		sysInfo.AppArmor = true
	}

	// Check if Seccomp is supported, via CONFIG_SECCOMP.
	if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
		if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
			sysInfo.Seccomp = true
		}
	}

	return sysInfo
}
func (UserExecer) ExecAsUser(uid, gid int, workDir, programName string, args ...string) error {
	if _, _, errNo := syscall.RawSyscall(syscall.SYS_SETGID, uintptr(gid), 0, 0); errNo != 0 {
		return fmt.Errorf("system: setgid: %s", errNo.Error())
	}
	if _, _, errNo := syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0); errNo != 0 {
		return fmt.Errorf("system: setuid: %s", errNo.Error())
	}

	if workDir == "" {
		return errors.New("system: working directory is not provided.")
	}

	if err := os.MkdirAll(workDir, 0755); err != nil {
		return fmt.Errorf("system: %s", err)
	}

	if err := os.Chdir(workDir); err != nil {
		return fmt.Errorf("system: invalid working directory: %s", workDir)
	}

	programPath, err := exec.LookPath(programName)
	if err != nil {
		return fmt.Errorf("system: program '%s' was not found in $PATH: %s", programName, err)
	}

	if err := syscall.Exec(programPath, append([]string{programName}, args...), os.Environ()); err != nil {
		return fmt.Errorf("system: exec of %s: %s", programName, err)
	}
	return nil
}
Beispiel #4
0
// New returns a new SysInfo, using the filesystem to detect which features
// the kernel supports. If `quiet` is `false` warnings are printed in logs
// whenever an error occurs or misconfigurations are present.
func New(quiet bool) *SysInfo {
	sysInfo := &SysInfo{}
	sysInfo.cgroupMemInfo = checkCgroupMem(quiet)
	sysInfo.cgroupCPUInfo = checkCgroupCPU(quiet)
	sysInfo.cgroupBlkioInfo = checkCgroupBlkioInfo(quiet)
	sysInfo.cgroupCpusetInfo = checkCgroupCpusetInfo(quiet)

	_, err := cgroups.FindCgroupMountpoint("devices")
	sysInfo.CgroupDevicesEnabled = err == nil

	sysInfo.IPv4ForwardingDisabled = !readProcBool("/proc/sys/net/ipv4/ip_forward")
	sysInfo.BridgeNfCallIptablesDisabled = !readProcBool("/proc/sys/net/bridge/bridge-nf-call-iptables")
	sysInfo.BridgeNfCallIP6tablesDisabled = !readProcBool("/proc/sys/net/bridge/bridge-nf-call-ip6tables")

	// Check if AppArmor is supported.
	if _, err := os.Stat("/sys/kernel/security/apparmor"); !os.IsNotExist(err) {
		sysInfo.AppArmor = true
	}

	// Check if Seccomp is supported, via CONFIG_SECCOMP.
	if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
		if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
			sysInfo.Seccomp = true
		}
	}

	return sysInfo
}
Beispiel #5
0
func shmOpen(size int) (shmid uintptr, addr unsafe.Pointer, err error) {
	shmid, _, errno0 := syscall.RawSyscall(syscall.SYS_SHMGET, ipcPrivate, uintptr(size), ipcCreat|0600)
	if errno0 != 0 {
		return 0, unsafe.Pointer(uintptr(0)), errno0
	}
	p, _, errno1 := syscall.RawSyscall(syscall.SYS_SHMAT, shmid, 0, 0)
	_, _, errno2 := syscall.RawSyscall(syscall.SYS_SHMCTL, shmid, ipcRmID, 0)
	if errno1 != 0 {
		return 0, unsafe.Pointer(uintptr(0)), errno1
	}
	if errno2 != 0 {
		return 0, unsafe.Pointer(uintptr(0)), errno2
	}
	return shmid, unsafe.Pointer(p), nil
}
Beispiel #6
0
// GetSubreaper returns the subreaper setting for the calling process
func GetSubreaper() (int, error) {
	var i uintptr
	if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, PR_GET_CHILD_SUBREAPER, uintptr(unsafe.Pointer(&i)), 0); err != 0 {
		return -1, err
	}
	return int(i), nil
}
Beispiel #7
0
func rawIoctl(fd uintptr, req uint, arg uintptr) error {
	_, _, err := syscall.RawSyscall(syscall.SYS_IOCTL, fd, uintptr(req), arg)
	if err != 0 {
		return err
	}
	return nil
}
Beispiel #8
0
func CurrentProcessInfo() *ProcessInfo {
	var hasTty bool
	cwd, _ := os.Getwd()
	grp, _ := os.Getgroups()
	// no syscall.Getsid() wrapper on Linux?
	sid, _, _ := syscall.RawSyscall(syscall.SYS_GETSID, 0, 0, 0)

	if fh, err := os.Open("/dev/tty"); err == nil {
		hasTty = true
		fh.Close()
	}

	return &ProcessInfo{
		Ppid:   os.Getppid(),
		Pid:    os.Getpid(),
		Uid:    os.Getuid(),
		Euid:   os.Geteuid(),
		Gid:    os.Getgid(),
		Egid:   os.Getegid(),
		Pgrp:   syscall.Getpgrp(),
		Sid:    int(sid),
		Dir:    cwd,
		Groups: grp,
		Args:   os.Args,
		Env:    os.Environ(),
		HasTty: hasTty,
	}
}
Beispiel #9
0
func Current() Thread {
	tid, _, e := syscall.RawSyscall(syscall.SYS_GETTID, 0, 0, 0)
	if e != 0 {
		panic(e)
	}
	return Thread{int(tid)}
}
Beispiel #10
0
func PreRunService() {
	fmt.Println("Starting server!")
	ret, _, errNo := syscall.RawSyscall(syscall.SYS_FORK, 0, 0, 0)
	if errNo != 0 {
		panic(errors.New(fmt.Sprintf("Fork failed err: %d ", errNo)))
	} else {
		return
	}
	switch ret {
	case 0:
		break
	default:
		os.Exit(0)
	}
	sid, err := syscall.Setsid()
	utilities.CheckError(err)
	if sid == -1 {
		os.Exit(-1)
	}

	router := mux.NewRouter().StrictSlash(true)
	router.HandleFunc("/", Index)
	router.HandleFunc("/ls", GetFileList)
	router.HandleFunc("/file", GetFile)
	router.HandleFunc("/tunnel", GetTunnel)

	defer log.Fatal(http.ListenAndServe(":5922", router))
	fmt.Println("WTF!")
}
Beispiel #11
0
func setns(fd uintptr, flags uintptr) error {
	_, _, err := syscall.RawSyscall(SYS_SETNS, fd, flags, 0)
	if err != 0 {
		return err
	}
	return nil
}
// GetSubreaper returns the subreaper setting for the calling process
func GetSubreaper() (int, error) {
	var i uintptr
	if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, prGetChildSubreaper, uintptr(unsafe.Pointer(&i)), 0); err != 0 {
		return -1, err
	}
	return int(i), nil
}
Beispiel #13
0
// IsEnabled returns if the kernel has been configured to support seccomp.
func IsEnabled() bool {
	// Try to read from /proc/self/status for kernels > 3.8
	s, err := parseStatusFile("/proc/self/status")
	if err != nil {
		// Check if Seccomp is supported, via CONFIG_SECCOMP.
		if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
			// Make sure the kernel has CONFIG_SECCOMP_FILTER.
			if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
				return true
			}
		}
		return false
	}
	_, ok := s["Seccomp"]
	return ok
}
Beispiel #14
0
func daemon(nochdir, noclose int) int {
	var ret, ret2 uintptr
	var err syscall.Errno

	darwin := runtime.GOOS == "darwin"

	// already a daemon
	if syscall.Getppid() == 1 {
		return 0
	}

	// fork off the parent process
	ret, ret2, err = syscall.RawSyscall(syscall.SYS_FORK, 0, 0, 0)
	if err != 0 {
		return -1
	}

	// failure
	if ret2 < 0 {
		os.Exit(-1)
	}

	// handle exception for darwin
	if darwin && ret2 == 1 {
		ret = 0
	}

	// if we got a good PID, then we call exit the parent process.
	if ret > 0 {
		os.Exit(0)
	}

	/* Change the file mode mask */
	_ = syscall.Umask(0)

	// create a new SID for the child process
	s_ret, s_errno := syscall.Setsid()
	if s_errno != nil {
		log.Printf("Error: syscall.Setsid errno: %d", s_errno)
	}
	if s_ret < 0 {
		return -1
	}

	if nochdir == 0 {
		os.Chdir("/")
	}

	if noclose == 0 {
		f, e := os.OpenFile("/dev/null", os.O_RDWR, 0)
		if e == nil {
			fd := f.Fd()
			syscall.Dup2(int(fd), int(os.Stdin.Fd()))
			syscall.Dup2(int(fd), int(os.Stdout.Fd()))
			syscall.Dup2(int(fd), int(os.Stderr.Fd()))
		}
	}

	return 0
}
Beispiel #15
0
func ioctlEthtool(fd int, argp uintptr) error {
	_, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(fd), uintptr(SIOCETHTOOL), argp)
	if errno != 0 {
		return errno
	}
	return nil
}
Beispiel #16
0
func ClearKeepCaps() error {
	if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_KEEPCAPS, 0, 0); err != 0 {
		return err
	}

	return nil
}
func setuid(uid int) (err error) {
	_, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0)
	if e1 != 0 {
		err = e1
	}
	return
}
func SetEnv() {
	flag.Parse()

	if *debug {
		log.SetLevel(log.DebugLevel)
	}

	if *logFile != "" {
		if output, err := os.OpenFile(*logFile, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0666); err != nil {
			log.Fatalf("Failed to log to file %s: %v", *logFile, err)
		} else {
			log.SetOutput(output)
		}
	}

	textFormatter := &log.TextFormatter{
		FullTimestamp: true,
	}
	log.SetFormatter(textFormatter)

	if *catalogUrl == "" {
		err := "Halting Catalog service, Catalog github repo url not provided"
		log.Fatal(err)
		fmt.Errorf(err)
	}

	// Shutdown when parent dies
	if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(syscall.SIGTERM), 0); err != 0 {
		log.Fatal("Failed to set parent death sinal, err")
	}
}
Beispiel #19
0
func (this torUtil) SetDaemonMode(nochdir, noclose int) int {
	if syscall.Getppid() == 1 {
		return 0
	}
	ret, ret2, err := syscall.RawSyscall(syscall.SYS_FORK, 0, 0, 0)
	if err != 0 {
		return -1
	}
	if ret2 < 0 {
		os.Exit(-1)
	}
	if ret > 0 {
		os.Exit(0)
	}
	syscall.Umask(0)
	s_ret, s_errno := syscall.Setsid()
	if s_ret < 0 {
		return -1
	}
	if nochdir == 0 {
		os.Chdir("/")
	}
	if noclose == 0 {
		f, e := os.OpenFile("/dev/null", os.O_RDWR, 0)
		if e == nil {
			fd := f.Fd()
			syscall.Dup2(int(fd), int(os.Stdin.Fd()))
			syscall.Dup2(int(fd), int(os.Stdout.Fd()))
			syscall.Dup2(int(fd), int(os.Stderr.Fd()))
		}
	}
	return 0
}
Beispiel #20
0
//	golang version of Clock_gettime SYSCALL
func clock_gettime(clockid int, ts *syscall.Timespec) error {
	_, _, e1 := syscall.RawSyscall(syscall.SYS_CLOCK_GETTIME, uintptr(clockid), uintptr(unsafe.Pointer(ts)), 0)
	if e1 != 0 {
		return e1
	}
	return nil
}
Beispiel #21
0
func shmClose(p unsafe.Pointer) error {
	_, _, errno := syscall.RawSyscall(syscall.SYS_SHMDT, uintptr(p), 0, 0)
	if errno != 0 {
		return errno
	}
	return nil
}
// Setgid sets the gid of the calling thread to the specified gid.
func Setgid(gid int) (err error) {
	_, _, e1 := syscall.RawSyscall(syscall.SYS_SETGID32, uintptr(gid), 0, 0)
	if e1 != 0 {
		err = e1
	}
	return
}
// SetAffinity attend the cpu list to pid,
// note: SetAffinity apply to thread ID only,
// to fully control one process, call SetAffinity for all thread of the process.
// use os.GetThreadIDs() to get all thread of the process
// check ghttps://github.com/golang/go/issues/11243
func SetAffinity(pid int, cpus []int) error {
	var mask [1024 / 64]uintptr
	if pid <= 0 {
		pidget, _, _ := syscall.RawSyscall(unix.SYS_GETPID, 0, 0, 0)
		pid = int(pidget)
	}
	for _, cpuIdx := range cpus {
		cpuIndex := uint(cpuIdx)
		mask[cpuIndex/64] |= 1 << (cpuIndex % 64)
	}
	_, _, err := syscall.RawSyscall(unix.SYS_SCHED_SETAFFINITY, uintptr(pid), uintptr(len(mask)*8), uintptr(unsafe.Pointer(&mask[0])))
	if err != 0 {
		return err
	}
	return nil
}
Beispiel #24
0
func Syncfs(fd int) error {
	_, _, err := syscall.RawSyscall(SYS_SYNCFS, uintptr(fd), 0, 0)
	if err != 0 {
		return syscall.Errno(err)
	}
	return nil
}
Beispiel #25
0
func GetParentDeathSignal() (ParentDeathSignal, error) {
	var sig int
	_, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_PDEATHSIG, uintptr(unsafe.Pointer(&sig)), 0)
	if err != 0 {
		return -1, err
	}
	return ParentDeathSignal(sig), nil
}
Beispiel #26
0
// SetNS sets the network namespace on a target file.
func SetNS(f *os.File, flags uintptr) error {
	_, _, err := syscall.RawSyscall(setNsNr, f.Fd(), flags, 0)
	if err != 0 {
		return err
	}

	return nil
}
Beispiel #27
0
func Setgid(gid int) (err error) {
	_, _, errno := syscall.RawSyscall(syscall.SYS_SETGID, uintptr(gid), 0, 0)
	if errno != 0 {
		err = errno
	}

	return
}
Beispiel #28
0
func ioctl(fd, name, v uintptr) error {
	_, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, fd, name, v)
	if errno == 0 {
		return nil
	}

	return errno
}
Beispiel #29
0
func getpeername(s int, addr []byte) error {
	l := uint32(len(addr))
	_, _, errno := syscall.RawSyscall(syscall.SYS_GETPEERNAME, uintptr(s), uintptr(unsafe.Pointer(&addr[0])), uintptr(unsafe.Pointer(&l)))
	if errno != 0 {
		return error(errno)
	}
	return nil
}
Beispiel #30
0
func rawSetuid(uid int) error {
	_, _, errno := syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0)
	if errno != 0 {
		return errno
	}

	return nil
}