Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syscall: add Jail int32 to SysProcAttr on FreeBSD #46259

Closed
gizahNL opened this issue May 19, 2021 · 11 comments
Closed

syscall: add Jail int32 to SysProcAttr on FreeBSD #46259

gizahNL opened this issue May 19, 2021 · 11 comments

Comments

@gizahNL
Copy link

gizahNL commented May 19, 2021

Adding an int32 jail param to SysProcAttr on FreeBSD and calling the JAIL_ATTACH syscall inside the forked child would allow cleanly running a command inside a FreeBSD jail.

@ianlancetaylor ianlancetaylor changed the title syscall/exec FreeBSD add Jail param to SysprocAttr to allow running Command in jail proposal: syscall: add Jail param to SysprocAttr for FreeBSD to allow running Command in jail May 19, 2021
@gopherbot gopherbot added this to the Proposal milestone May 19, 2021
@ianlancetaylor ianlancetaylor changed the title proposal: syscall: add Jail param to SysprocAttr for FreeBSD to allow running Command in jail proposal: syscall: add Jail param to SysProcAttr for FreeBSD to allow running Command in jail May 19, 2021
@rsc
Copy link
Contributor

rsc commented May 19, 2021

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

@rsc
Copy link
Contributor

rsc commented May 26, 2021

Does anyone object to this?

@gizahNL
Copy link
Author

gizahNL commented May 27, 2021

An implementation detail I did not think about before:
jail attach chroots into the jail, and changes the working directory of the program to the root of the jail.
If it's feasible to change the working directory in the forked child it must be done after calling the attach syscall, if it's unfeasible I guess an error could be returned when both Cmd.Dir and SysProcAttr.Jail is set as to indicate that such a combination of options is unsupported.

@ianlancetaylor
Copy link
Member

@gizahNL That doesn't seem like a problem. The relevant code is in syscall/exec_bsd.go.

@rsc rsc changed the title proposal: syscall: add Jail param to SysProcAttr for FreeBSD to allow running Command in jail proposal: syscall: add Jail int32 to SysProcAttr on FreeBSD Jun 2, 2021
@rsc
Copy link
Contributor

rsc commented Jun 2, 2021

/cc @samuelkarp to see if this would have helped https://github.com/samuelkarp/runj.

@rsc
Copy link
Contributor

rsc commented Jun 2, 2021

Based on the discussion above, this proposal seems like a likely accept.
— rsc for the proposal review group

@samuelkarp
Copy link

/cc @samuelkarp to see if this would have helped samuelkarp/runj.

Yes, this will likely help runj in some scenarios, while runj will likely invoke JAIL_ATTACH directly in others.

@rsc
Copy link
Contributor

rsc commented Jun 9, 2021

No change in consensus, so accepted. 🎉
This issue now tracks the work of implementing the proposal.
— rsc for the proposal review group

@rsc rsc changed the title proposal: syscall: add Jail int32 to SysProcAttr on FreeBSD syscall: add Jail int32 to SysProcAttr on FreeBSD Jun 9, 2021
@rsc rsc modified the milestones: Proposal, Backlog Jun 9, 2021
tklauser added a commit to tklauser/go that referenced this issue Oct 12, 2021
To allow adding fields to ProcSysAttr which are supported on FreeBSD but
not on other BSDs.

For now exec_freebsd.go is an exact copy of exec_bsd.go with adjusted
build tags and copyright year.

For golang#46258
For golang#46259

Change-Id: I7667a0cdf1ca86ef64a147b77c06db70c5f8eb90
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/355569 mentions this issue: syscall: separate ProcSysAttr and forkAndExecInChild for FreeBSD

gopherbot pushed a commit that referenced this issue Oct 14, 2021
To allow adding fields to ProcSysAttr which are supported on FreeBSD but
not on other BSDs.

For now exec_freebsd.go is an exact copy of exec_bsd.go with adjusted
build tags and copyright year.

For #46258
For #46259

Change-Id: I7667a0cdf1ca86ef64a147b77c06db70c5f8eb90
Reviewed-on: https://go-review.googlesource.com/c/go/+/355569
Trust: Tobias Klauser <tobias.klauser@gmail.com>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
@gopherbot gopherbot added the compiler/runtime Issues related to the Go compiler and/or runtime. label Jul 7, 2022
@prattmic prattmic moved this to Triage Backlog in Go Compiler / Runtime Jul 25, 2022
@rsc rsc moved this to Accepted in Proposals Aug 10, 2022
@rsc rsc added this to Proposals Aug 10, 2022
hdbhm added a commit to hdbhm/go that referenced this issue Dec 19, 2022
Introduce a new SysProcAttr member called Jail on FreeBSD. This allows
supplying an existing jail's ID to which the child process is attached
before calling the exec system call.

Fixes golang#46259

Change-Id: Ie282e5b83429131f9a9e1e27cfcb3bcc995d1d4d
hdbhm added a commit to hdbhm/go that referenced this issue Dec 19, 2022
Introduce a new SysProcAttr member called Jail on FreeBSD. This allows
supplying an existing jail's ID to which the child process is attached
before calling the exec system call.

Fixes golang#46259

Change-Id: Ie282e5b83429131f9a9e1e27cfcb3bcc995d1d4d
hdbhm added a commit to hdbhm/go that referenced this issue Dec 19, 2022
Introduce a new SysProcAttr member called Jail on FreeBSD. This allows
supplying an existing jail's ID to which the child process is attached
before calling the exec system call.

Fixes golang#46259

Change-Id: Ie282e5b83429131f9a9e1e27cfcb3bcc995d1d4d
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/458335 mentions this issue: syscall: add jail support to ForkExec on FreeBSD

@github-project-automation github-project-automation bot moved this from Triage Backlog to Done in Go Compiler / Runtime Feb 22, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/498376 mentions this issue: doc/go1.21: mention syscall package changes

gopherbot pushed a commit that referenced this issue May 26, 2023
One of the changes also affects the os package, so mention it
there too.

For #46259

Change-Id: I8041a5ce009725ab210118ee668fc94196d9ff82
Reviewed-on: https://go-review.googlesource.com/c/go/+/498376
Run-TryBot: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Eli Bendersky <eliben@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
@dmitshur dmitshur modified the milestones: Backlog, Go1.21 Jun 4, 2023
@rsc rsc removed this from Proposals Mar 1, 2024
@golang golang locked and limited conversation to collaborators Jun 3, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

7 participants