func isSupportedSyzkall(kallsyms []byte, c *sys.Call) bool {
switch c.CallName {
case "syz_open_dev":
ptr, ok := c.Args[0].(sys.PtrType)
if !ok {
panic("first open arg is not a pointer")
}
fname, ok := ptr.Type.(sys.StrConstType)
if !ok {
panic("first open arg is not a pointer to string const")
}
if syscall.Getuid() != 0 {
return false
}
dev := strings.Replace(fname.Val, "#", "0", 1)
_, err := os.Stat(dev)
return err == nil
case "syz_open_pts":
return true
case "syz_fuse_mount":
_, err := os.Stat("/dev/fuse")
return err == nil
case "syz_fuseblk_mount":
_, err := os.Stat("/dev/fuse")
return err == nil && syscall.Getuid() == 0
default:
panic("unknown syzkall: " + c.Name)
}
}
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
// Set up defaults.
defaultExecUser := user.ExecUser{
Uid: syscall.Getuid(),
Gid: syscall.Getgid(),
Home: "/",
}
passwdPath, err := user.GetPasswdPath()
if err != nil {
return err
}
groupPath, err := user.GetGroupPath()
if err != nil {
return err
}
execUser, err := user.GetExecUserPath(u, &defaultExecUser, passwdPath, groupPath)
if err != nil {
return fmt.Errorf("get supplementary groups %s", err)
}
// if not root - check uid/gid by hand if seccomp is not working
if syscall.Geteuid() > 0 && (execUser.Uid <= MIN_UID || execUser.Gid <= MIN_GID) {
return fmt.Errorf("Invalid UID or GID")
}
// set supplementary groups
if err := syscall.Setgroups(execUser.Sgids); err != nil {
return fmt.Errorf("setgroups %s", err)
}
// set gid
if err := system.Setgid(execUser.Gid); err != nil {
return fmt.Errorf("setgid %s", err)
}
// check if setgid is successfull
if syscall.Getgid() != execUser.Gid {
return fmt.Errorf("setgid failed")
}
// set uid
if err := system.Setuid(execUser.Uid); err != nil {
return fmt.Errorf("setuid %s", err)
}
// check if setuid is successful
if syscall.Getuid() != execUser.Uid {
return fmt.Errorf("setuid failed")
}
// if we didn't get HOME already, set it based on the user's HOME
if envHome := os.Getenv("HOME"); envHome == "" {
if err := os.Setenv("HOME", execUser.Home); err != nil {
return fmt.Errorf("set HOME %s", err)
}
}
return nil
}
func (d *Driver) Create() error {
b2dutils := mcnutils.NewB2dUtils(d.StorePath)
if err := b2dutils.CopyIsoToMachineDir(d.Boot2DockerURL, d.MachineName); err != nil {
return err
}
log.Infof("Creating VM...")
if err := os.MkdirAll(d.ResolveStorePath("."), 0755); err != nil {
return err
}
log.Infof("Extracting vmlinuz64 and initrd.img from %s...", isoFilename)
if err := d.extractKernelImages(); err != nil {
return err
}
log.Infof("Generating %dMB disk image...", d.DiskSize)
if err := d.generateDiskImage(d.DiskSize); err != nil {
return err
}
// Fix file permission root to current user for vmnet.framework
log.Infof("Fix file permission...")
os.Chown(d.ResolveStorePath("."), syscall.Getuid(), syscall.Getegid())
files, _ := ioutil.ReadDir(d.ResolveStorePath("."))
for _, f := range files {
log.Debugf(d.ResolveStorePath(f.Name()))
os.Chown(d.ResolveStorePath(f.Name()), syscall.Getuid(), syscall.Getegid())
}
log.Infof("Generate UUID...")
d.UUID = uuidgen()
log.Debugf("Generated UUID: %s", d.UUID)
log.Infof("Convert UUID to MAC address...")
rawUUID, err := d.getMACAdress()
if err != nil {
return err
}
d.MacAddr = trimMacAddress(rawUUID)
log.Debugf("Converted MAC address: %s", d.MacAddr)
log.Infof("Starting %s...", d.MachineName)
if err := d.Start(); err != nil {
return err
}
// Setup NFS sharing
if d.NFSShare {
log.Infof("NFS share folder must be root. Please insert root password.")
err = d.setupNFSShare()
if err != nil {
log.Errorf("NFS setup failed: %s", err.Error())
}
}
return nil
}
func TestCurrent(t *testing.T) {
uid := strconv.Itoa(syscall.Getuid())
users := []string{
fmt.Sprintf("current:*:%s:%s:Current User:/home/current:/bin/bash", uid, uid),
}
db, err := newUserDatabase(users)
if err != nil {
t.Error(err)
}
defer os.Remove(db)
userDatabase = db
want := &User{
Username: "******",
Uid: uid,
Gid: uid,
Name: "Current User",
HomeDir: "/home/current",
}
got, err := Current()
if err != nil {
t.Error(err)
}
if !reflect.DeepEqual(want, got) {
t.Errorf("want %v, got %v", want, got)
}
}
func setupUser(container *libcontainer.Container) error {
switch container.User {
case "root", "":
if err := system.Setgroups(nil); err != nil {
return err
}
if err := system.Setresgid(0, 0, 0); err != nil {
return err
}
if err := system.Setresuid(0, 0, 0); err != nil {
return err
}
default:
uid, gid, suppGids, err := user.GetUserGroupSupplementary(container.User, syscall.Getuid(), syscall.Getgid())
if err != nil {
return err
}
if err := system.Setgroups(suppGids); err != nil {
return err
}
if err := system.Setgid(gid); err != nil {
return err
}
if err := system.Setuid(uid); err != nil {
return err
}
}
return nil
}
func init() {
defer trace.End(trace.Begin(""))
trace.Logger.Level = log.DebugLevel
_ = pprof.StartPprof("vicadmin", pprof.VicadminPort)
// We don't want to run this as root.
ud := syscall.Getuid()
gd := syscall.Getgid()
log.Info(fmt.Sprintf("Current UID/GID = %d/%d", ud, gd))
// TODO: Enable this after we figure out to NOT break the test suite with it.
// if ud == 0 {
// log.Errorf("Error: vicadmin must not run as root.")
// time.Sleep(60 * time.Second)
// os.Exit(1)
// }
flag.StringVar(&rootConfig.addr, "l", "client.localhost:2378", "Listen address")
// TODO: This should all be pulled from the config
flag.StringVar(&rootConfig.DatacenterPath, "dc", "", "Path of the datacenter")
flag.StringVar(&rootConfig.ClusterPath, "cluster", "", "Path of the cluster")
flag.StringVar(&rootConfig.PoolPath, "pool", "", "Path of the resource pool")
// load the vch config
src, err := extraconfig.GuestInfoSource()
if err != nil {
log.Errorf("Unable to load configuration from guestinfo")
return
}
extraconfig.Decode(src, &vchConfig)
// FIXME: pull the rest from flags
flag.Parse()
}
func TestRuleAddAndLoad(t *testing.T) {
// Test #1: Add a trivial filter
filter1, err := NewFilter(ActAllow)
if err != nil {
t.Errorf("Error creating filter: %s", err)
}
defer filter1.Release()
call, err := GetSyscallFromName("getpid")
if err != nil {
t.Errorf("Error getting syscall number of getpid: %s", err)
}
call2, err := GetSyscallFromName("setreuid")
if err != nil {
t.Errorf("Error getting syscall number of setreuid: %s", err)
}
uid := syscall.Getuid()
euid := syscall.Geteuid()
err = filter1.AddRule(call, ActErrno.SetReturnCode(0x1))
if err != nil {
t.Errorf("Error adding rule to restrict syscall: %s", err)
}
cond, err := MakeCondition(1, CompareEqual, uint64(euid))
if err != nil {
t.Errorf("Error making rule to restrict syscall: %s", err)
}
cond2, err := MakeCondition(0, CompareEqual, uint64(uid))
if err != nil {
t.Errorf("Error making rule to restrict syscall: %s", err)
}
conditions := []ScmpCondition{cond, cond2}
err = filter1.AddRuleConditional(call2, ActErrno.SetReturnCode(0x2), conditions)
if err != nil {
t.Errorf("Error adding conditional rule: %s", err)
}
err = filter1.Load()
if err != nil {
t.Errorf("Error loading filter: %s", err)
}
// Try making a simple syscall, it should error
pid := syscall.Getpid()
if pid != -1 {
t.Errorf("Syscall should have returned error code!")
}
// Try making a Geteuid syscall that should normally succeed
err = syscall.Setreuid(uid, euid)
if err != syscall.Errno(2) {
t.Errorf("Syscall should have returned error code!")
}
}
func NewTarWriter(name string, w io.Writer) *TarWriter {
return &TarWriter{
Writer: tar.NewWriter(w),
uid: syscall.Getuid(),
name: name,
}
}
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
uid, gid, suppGids, home, err := user.GetUserGroupSupplementaryHome(u, syscall.Getuid(), syscall.Getgid(), "/")
if err != nil {
return fmt.Errorf("get supplementary groups %s", err)
}
if err := syscall.Setgroups(suppGids); err != nil {
return fmt.Errorf("setgroups %s", err)
}
if err := syscall.Setgid(gid); err != nil {
return fmt.Errorf("setgid %s", err)
}
if err := syscall.Setuid(uid); err != nil {
return fmt.Errorf("setuid %s", err)
}
// if we didn't get HOME already, set it based on the user's HOME
if envHome := os.Getenv("HOME"); envHome == "" {
if err := os.Setenv("HOME", home); err != nil {
return fmt.Errorf("set HOME %s", err)
}
}
return nil
}
func mkKindiDir(path string) (string, error) {
var name string
if len(path) == 0 || path == "~/.kindi" {
uid := syscall.Getuid()
uid_str := strconv.Itoa(uid)
u, err := user.LookupId(uid_str)
if err != nil {
return "", err
}
if e, g := uid_str, u.Uid; e != g {
return "", fmt.Errorf("expected Uid of %d; got %d", e, g)
}
fi, err := os.Stat(u.HomeDir)
if err != nil || !fi.IsDir() {
return "", fmt.Errorf("expected a valid HomeDir; stat(%q): err=%v, IsDirectory=%v", err, fi.IsDir())
}
name = filepath.Join(u.HomeDir, ".kindi")
} else {
name = path
}
err := os.Mkdir(name, 0700)
if err != nil {
if pe, ok := err.(*os.PathError); ok && pe.Err == syscall.EEXIST {
return name, nil
}
return "", err
}
return name, nil
}
func TestLookup(t *testing.T) {
if skip(t) {
return
}
// Test LookupId on the current user
uid := syscall.Getuid()
u, err := LookupId(uid)
if err != nil {
t.Fatalf("LookupId: %v", err)
}
if e, g := uid, u.Uid; e != g {
t.Errorf("expected Uid of %d; got %d", e, g)
}
fi, err := os.Stat(u.HomeDir)
if err != nil || !fi.IsDirectory() {
t.Errorf("expected a valid HomeDir; stat(%q): err=%v, IsDirectory=%v", u.HomeDir, err, fi.IsDirectory())
}
if u.Username == "" {
t.Fatalf("didn't get a username")
}
// Test Lookup by username, using the username from LookupId
un, err := Lookup(u.Username)
if err != nil {
t.Fatalf("Lookup: %v", err)
}
if !reflect.DeepEqual(u, un) {
t.Errorf("Lookup by userid vs. name didn't match\n"+
"LookupId(%d): %#v\n"+
"Lookup(%q): %#v\n", uid, u, u.Username, un)
}
}
func (d *Driver) CopyIsoToMachineDir(isoURL, machineName string) error {
b2d := b2d.NewB2dUtils(d.StorePath)
mcnutils := mcnutils.NewB2dUtils(d.StorePath)
if err := d.UpdateISOCache(isoURL); err != nil {
return err
}
isoPath := filepath.Join(b2d.ImgCachePath, isoFilename)
if isoStat, err := os.Stat(isoPath); err == nil {
if int(isoStat.Sys().(*syscall.Stat_t).Uid) == 0 {
log.Debugf("Fix %s file permission...", isoStat.Name())
os.Chown(isoPath, syscall.Getuid(), syscall.Getegid())
}
}
// TODO: This is a bit off-color.
machineDir := filepath.Join(d.StorePath, "machines", machineName)
machineIsoPath := filepath.Join(machineDir, isoFilename)
// By default just copy the existing "cached" iso to the machine's directory...
defaultISO := filepath.Join(b2d.ImgCachePath, defaultISOFilename)
if isoURL == "" {
log.Infof("Copying %s to %s...", defaultISO, machineIsoPath)
return CopyFile(defaultISO, machineIsoPath)
}
// if ISO is specified, check if it matches a github releases url or fallback to a direct download
downloadURL, err := b2d.GetReleaseURL(isoURL)
if err != nil {
return err
}
return mcnutils.DownloadISO(machineDir, b2d.Filename(), downloadURL)
}
func TestStatFile(t *testing.T) {
tmp := tempdir.New(t)
defer tmp.Cleanup()
app := bazfstestutil.NewApp(t, tmp.Subdir("data"))
defer app.Close()
bazfstestutil.CreateVolume(t, app, "default")
mnt := bazfstestutil.Mounted(t, app, "default")
defer mnt.Close()
p := path.Join(mnt.Dir, "hello")
f, err := os.Create(p)
if err != nil {
t.Fatalf("cannot create hello: %v", err)
}
defer f.Close()
GREETING := "hello, world\n"
n, err := f.Write([]byte(GREETING))
if err != nil {
t.Fatalf("cannot write to hello: %v", err)
}
if n != len(GREETING) {
t.Fatalf("bad length write to hello: %d != %d", n, len(GREETING))
}
err = f.Close()
if err != nil {
t.Fatalf("closing hello failed: %v", err)
}
fi, err := os.Stat(p)
if err != nil {
t.Fatalf("cannot stat hello: %v", err)
}
mode := fi.Mode()
if (mode & os.ModeType) != 0 {
t.Errorf("hello is not a file: %#v", fi)
}
if mode.Perm() != 0644 {
t.Errorf("file has weird access mode: %v", mode.Perm())
}
switch stat := fi.Sys().(type) {
case *syscall.Stat_t:
if stat.Nlink != 1 {
t.Errorf("file has wrong link count: %v", stat.Nlink)
}
if stat.Uid != uint32(syscall.Getuid()) {
t.Errorf("file has wrong uid: %d", stat.Uid)
}
if stat.Gid != uint32(syscall.Getgid()) {
t.Errorf("file has wrong gid: %d", stat.Gid)
}
if stat.Gid != uint32(syscall.Getgid()) {
t.Errorf("file has wrong gid: %d", stat.Gid)
}
}
if fi.Size() != int64(len(GREETING)) {
t.Errorf("file has wrong size: %d != %d", fi.Size(), len(GREETING))
}
}
func NewTarWriter(name string, w io.Writer, progress ProgressBar) *TarWriter {
return &TarWriter{
Writer: tar.NewWriter(w),
uid: syscall.Getuid(),
name: name,
progress: progress,
}
}
// Checks if it is possible to activate the mitigation.
func CanActivate() bool {
if runtime.GOOS == "windows" {
return false
}
uid := syscall.Getuid()
return uid == 0
}
// setupUser changes the groups, gid, and uid for the user inside the container
func setupUser(config *initConfig) error {
// Set up defaults.
defaultExecUser := user.ExecUser{
Uid: syscall.Getuid(),
Gid: syscall.Getgid(),
Home: "/",
}
passwdPath, err := user.GetPasswdPath()
if err != nil {
return err
}
groupPath, err := user.GetGroupPath()
if err != nil {
return err
}
execUser, err := user.GetExecUserPath(config.User, &defaultExecUser, passwdPath, groupPath)
if err != nil {
return err
}
var addGroups []int
if len(config.Config.AdditionalGroups) > 0 {
addGroups, err = user.GetAdditionalGroupsPath(config.Config.AdditionalGroups, groupPath)
if err != nil {
return err
}
}
// change the permissions on the STDIO of the current process so that when the user
// is changed for the container, it's STDIO of the process matches the user.
for _, fd := range []uintptr{
os.Stdin.Fd(),
os.Stderr.Fd(),
os.Stdout.Fd(),
} {
if err := syscall.Fchown(int(fd), execUser.Uid, execUser.Gid); err != nil {
return err
}
}
suppGroups := append(execUser.Sgids, addGroups...)
if err := syscall.Setgroups(suppGroups); err != nil {
return err
}
if err := system.Setgid(execUser.Gid); err != nil {
return err
}
if err := system.Setuid(execUser.Uid); err != nil {
return err
}
// if we didn't get HOME already, set it based on the user's HOME
if envHome := os.Getenv("HOME"); envHome == "" {
if err := os.Setenv("HOME", execUser.Home); err != nil {
return err
}
}
return nil
}
func DefaultBaseDirGet() string {
uid := syscall.Getuid()
u, err := user.LookupId(strconv.Itoa(uid))
if err != nil {
log.Printf("Error looking up user, %v\n", err)
os.Exit(-2)
}
return u.HomeDir + _DEFAULT_USER_BASEDIR
}
func isSupportedSyzkall(c *sys.Call) bool {
switch c.CallName {
case "syz_test":
return false
case "syz_open_dev":
ptr, ok := c.Args[0].(sys.PtrType)
if !ok {
return true
}
fname, ok := ptr.Type.(sys.StrConstType)
if !ok {
panic("first open arg is not a pointer to string const")
}
if syscall.Getuid() != 0 {
return false
}
var check func(dev string) bool
check = func(dev string) bool {
if !strings.Contains(dev, "#") {
_, err := os.Stat(dev)
return err == nil
}
for i := 0; i < 10; i++ {
if check(strings.Replace(dev, "#", strconv.Itoa(i), 1)) {
return true
}
}
return false
}
return check(fname.Val[:len(fname.Val)-1])
case "syz_open_pts":
return true
case "syz_fuse_mount":
_, err := os.Stat("/dev/fuse")
return err == nil
case "syz_fuseblk_mount":
_, err := os.Stat("/dev/fuse")
return err == nil && syscall.Getuid() == 0
default:
panic("unknown syzkall: " + c.Name)
}
}
func TestSimple(t *testing.T) {
tmp := tempdir.New(t)
defer tmp.Cleanup()
app := bazfstestutil.NewApp(t, tmp.Subdir("data"))
defer app.Close()
bazfstestutil.CreateVolume(t, app, "default")
mnt := bazfstestutil.Mounted(t, app, "default")
defer mnt.Close()
fi, err := os.Stat(mnt.Dir)
if err != nil {
t.Fatalf("root getattr failed with %v", err)
}
mode := fi.Mode()
if (mode & os.ModeType) != os.ModeDir {
t.Errorf("root is not a directory: %#v", fi)
}
if mode.Perm() != 0755 {
t.Errorf("root has weird access mode: %v", mode.Perm())
}
switch stat := fi.Sys().(type) {
case *syscall.Stat_t:
if stat.Nlink != 1 {
t.Errorf("root has wrong link count: %v", stat.Nlink)
}
if stat.Uid != uint32(syscall.Getuid()) {
t.Errorf("root has wrong uid: %d", stat.Uid)
}
if stat.Gid != uint32(syscall.Getgid()) {
t.Errorf("root has wrong gid: %d", stat.Gid)
}
if stat.Gid != uint32(syscall.Getgid()) {
t.Errorf("root has wrong gid: %d", stat.Gid)
}
}
dirf, err := os.Open(mnt.Dir)
if err != nil {
t.Fatalf("cannot open root dir: %v", err)
}
defer dirf.Close()
names, err := dirf.Readdirnames(10)
if err != nil && err != io.EOF {
t.Fatalf("cannot list root dir: %v", err)
}
if len(names) > 0 {
t.Errorf("unexpected content in root dir: %v", names)
}
err = dirf.Close()
if err != nil {
t.Fatalf("closing root dir failed: %v", err)
}
}
func setupHome(rw http.ResponseWriter, req *http.Request) {
_, port, _ := net.SplitHostPort(*webserver.Listen)
ourAddr := "127.0.0.1:" + port
uid, err := netutil.AddrPairUserid(req.RemoteAddr, ourAddr)
fmt.Fprintf(rw, "Hello %q\n", req.RemoteAddr)
fmt.Fprintf(rw, "<p>uid = %d\n", syscall.Getuid())
fmt.Fprintf(rw, "<p>euid = %d\n", syscall.Geteuid())
fmt.Fprintf(rw, "<p>http_local_uid(%q => %q) = %d (%v)\n", req.RemoteAddr, ourAddr, uid, err)
}
// ShouldDropPrivs returns true if the application runs with sufficient
// privileges so that it should drop them
func ShouldDropPrivs() bool {
if groups, err := syscall.Getgroups(); err == nil {
for _, gid := range groups {
if gid == 0 {
return true
}
}
}
return syscall.Getuid() == 0 || syscall.Getgid() == 0
}
// setupUser changes the groups, gid, and uid for the user inside the container
func setupUser(config *initConfig) error {
// Set up defaults.
defaultExecUser := user.ExecUser{
Uid: syscall.Getuid(),
Gid: syscall.Getgid(),
Home: "/",
}
passwdPath, err := user.GetPasswdPath()
if err != nil {
return err
}
groupPath, err := user.GetGroupPath()
if err != nil {
return err
}
execUser, err := user.GetExecUserPath(config.User, &defaultExecUser, passwdPath, groupPath)
if err != nil {
return err
}
/* var addGroups []int
if len(config.Config.AdditionalGroups) > 0 {
addGroups, err = user.GetAdditionalGroupsPath(config.Config.AdditionalGroups, groupPath)
if err != nil {
return err
}
}*/
// before we change to the container's user make sure that the processes STDIO
// is correctly owned by the user that we are switching to.
if err := fixStdioPermissions(execUser); err != nil {
return err
}
/*
suppGroups := append(execUser.Sgids, addGroups...)
if err := syscall.Setgroups(suppGroups); err != nil {
return err
}*/
if err := system.Setgid(execUser.Gid); err != nil {
return err
}
if err := system.Setuid(execUser.Uid); err != nil {
return err
}
// if we didn't get HOME already, set it based on the user's HOME
if envHome := os.Getenv("HOME"); envHome == "" {
if err := os.Setenv("HOME", execUser.Home); err != nil {
return err
}
}
return nil
}
func getUsername(userFile string) (string, error) {
users, err := passwd.ReadUsers(userFile)
if err != nil {
return "", err
}
name, found := users.NameForID(syscall.Getuid())
if !found {
return "", fmt.Errorf("could not find user in %s", userFile)
}
return name, nil
}
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
uid, gid, suppGids, err := user.GetUserGroupSupplementary(u, syscall.Getuid(), syscall.Getgid())
if err != nil {
return fmt.Errorf("get supplementary groups %s", err)
}
if err := system.Setgroups(suppGids); err != nil {
return fmt.Errorf("setgroups %s", err)
}
if err := system.Setgid(gid); err != nil {
return fmt.Errorf("setgid %s", err)
}
if err := system.Setuid(uid); err != nil {
return fmt.Errorf("setuid %s", err)
}
return nil
}
func init() {
hasRoot = syscall.Geteuid() == 0
sudoUid, ok := syscall.Getenv("SUDO_UID")
if ok {
var err error
realUid, err = strconv.Atoi(sudoUid)
if err != nil {
fatalln("SUDO_UID", err)
}
} else {
realUid = syscall.Getuid()
}
dropRoot()
}
func setupUser(container *libcontainer.Container) error {
uid, gid, suppGids, err := user.GetUserGroupSupplementary(container.User, syscall.Getuid(), syscall.Getgid())
if err != nil {
return fmt.Errorf("GetUserGroupSupplementary %s", err)
}
if err := system.Setgroups(suppGids); err != nil {
return fmt.Errorf("setgroups %s", err)
}
if err := system.Setgid(gid); err != nil {
return fmt.Errorf("setgid %s", err)
}
if err := system.Setuid(uid); err != nil {
return fmt.Errorf("setuid %s", err)
}
return nil
}
// setupUser changes the groups, gid, and uid for the user inside the container
func setupUser(config *initConfig) error {
// Set up defaults.
defaultExecUser := user.ExecUser{
Uid: syscall.Getuid(),
Gid: syscall.Getgid(),
Home: "/",
}
passwdPath, err := user.GetPasswdPath()
if err != nil {
return err
}
groupPath, err := user.GetGroupPath()
if err != nil {
return err
}
execUser, err := user.GetExecUserPath(config.User, &defaultExecUser, passwdPath, groupPath)
if err != nil {
return err
}
var addGroups []int
if len(config.Config.AdditionalGroups) > 0 {
addGroups, err = user.GetAdditionalGroupsPath(config.Config.AdditionalGroups, groupPath)
if err != nil {
return err
}
}
suppGroups := append(execUser.Sgids, addGroups...)
if err := syscall.Setgroups(suppGroups); err != nil {
return err
}
if err := system.Setgid(execUser.Gid); err != nil {
return err
}
if err := system.Setuid(execUser.Uid); err != nil {
return err
}
// if we didn't get HOME already, set it based on the user's HOME
if envHome := os.Getenv("HOME"); envHome == "" {
if err := os.Setenv("HOME", execUser.Home); err != nil {
return err
}
}
return nil
}
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(container *libcontainer.Config) error {
// Set up defaults.
defaultExecUser := user.ExecUser{
Uid: syscall.Getuid(),
Gid: syscall.Getgid(),
Home: "/",
}
passwdPath, err := user.GetPasswdPath()
if err != nil {
return err
}
groupPath, err := user.GetGroupPath()
if err != nil {
return err
}
execUser, err := user.GetExecUserPath(container.User, &defaultExecUser, passwdPath, groupPath)
if err != nil {
return fmt.Errorf("get supplementary groups %s", err)
}
suppGroups := append(execUser.Sgids, container.AdditionalGroups...)
if err := syscall.Setgroups(suppGroups); err != nil {
return fmt.Errorf("setgroups %s", err)
}
if err := system.Setgid(execUser.Gid); err != nil {
return fmt.Errorf("setgid %s", err)
}
if err := system.Setuid(execUser.Uid); err != nil {
return fmt.Errorf("setuid %s", err)
}
// if we didn't get HOME already, set it based on the user's HOME
if envHome := os.Getenv("HOME"); envHome == "" {
if err := os.Setenv("HOME", execUser.Home); err != nil {
return fmt.Errorf("set HOME %s", err)
}
}
return nil
}
func isSupportedSyzkall(kallsyms []byte, c *sys.Call) bool {
switch c.CallName {
case "syz_openpts":
return true
case "syz_dri_open":
_, err := os.Stat("/dev/dri/card0")
return err == nil
case "syz_fuse_mount":
_, err := os.Stat("/dev/fuse")
return err == nil
case "syz_fuseblk_mount":
_, err := os.Stat("/dev/fuse")
return err == nil && syscall.Getuid() == 0
default:
panic("unknown syzkall")
}
}
func AddStringToTar(tw *tar.Writer, name, file string) error {
hdr := &tar.Header{
Name: name,
Size: int64(len(file)),
Mode: 0666,
Uid: syscall.Getuid(),
Gid: syscall.Getgid(),
}
if err := tw.WriteHeader(hdr); err != nil {
return err
}
if _, err := tw.Write([]byte(file)); err != nil {
return err
}
return nil
}