Don't set /proc/<PID>/setgroups to deny in Go1.5

A boolean field named GidMappingsEnableSetgroups was added to SysProcAttr in Go1.5. This field determines the value of the process's setgroups proc entry. Since the default is to set the entry to 'deny', calling setgroups will fail on systems running kernels 3.19+. Set GidMappingsEnableSetgroups to true so setgroups wont be set to 'deny'. Signed-off-by: Ido Yariv <ido@wizery.com>
2015-07-31 16:33:31 -04:00 · 2015-07-31 16:33:31 -04:00 · 86a85582d2
parent 2fbe13aac3
commit 86a85582d2
3 changed files with 22 additions and 0 deletions
--- a/libcontainer/compat_1.5_linux.go
+++ b/libcontainer/compat_1.5_linux.go
@ -0,0 +1,10 @@
+// +build linux,!go1.5
+
+package libcontainer
+
+import "syscall"
+
+// GidMappingsEnableSetgroups was added in Go 1.5, so do nothing when building
+// with earlier versions
+func enableSetgroups(sys *syscall.SysProcAttr) {
+}
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@ -164,6 +164,7 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c
 			// user mappings are not supported
 			return nil, err
 		}
+		enableSetgroups(cmd.SysProcAttr)
 		// Default to root user when user namespaces are enabled.
 		if cmd.SysProcAttr.Credential == nil {
 			cmd.SysProcAttr.Credential = &syscall.Credential{}
--- a/libcontainer/setgroups_linux.go
+++ b/libcontainer/setgroups_linux.go
@ -0,0 +1,11 @@
+// +build linux,go1.5
+
+package libcontainer
+
+import "syscall"
+
+// Set the GidMappingsEnableSetgroups member to true, so the process's
+// setgroups proc entry wont be set to 'deny' if GidMappings are set
+func enableSetgroups(sys *syscall.SysProcAttr) {
+	sys.GidMappingsEnableSetgroups = true
+}