// Copyright 2015 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package syscall_test import ( "fmt" "io" "io/fs" "os" "os/exec" "path/filepath" "runtime" "sort" "strconv" "strings" "sync" "syscall" "testing" "unsafe" ) // chtmpdir changes the working directory to a new temporary directory and // provides a cleanup function. Used when PWD is read-only. func chtmpdir(t *testing.T) func() { oldwd, err := os.Getwd() if err != nil { t.Fatalf("chtmpdir: %v", err) } d, err := os.MkdirTemp("", "test") if err != nil { t.Fatalf("chtmpdir: %v", err) } if err := os.Chdir(d); err != nil { t.Fatalf("chtmpdir: %v", err) } return func() { if err := os.Chdir(oldwd); err != nil { t.Fatalf("chtmpdir: %v", err) } os.RemoveAll(d) } } func touch(t *testing.T, name string) { f, err := os.Create(name) if err != nil { t.Fatal(err) } if err := f.Close(); err != nil { t.Fatal(err) } } const ( _AT_SYMLINK_NOFOLLOW = 0x100 _AT_FDCWD = -0x64 _AT_EACCESS = 0x200 _F_OK = 0 _R_OK = 4 ) func TestFaccessat(t *testing.T) { defer chtmpdir(t)() touch(t, "file1") err := syscall.Faccessat(_AT_FDCWD, "file1", _R_OK, 0) if err != nil { t.Errorf("Faccessat: unexpected error: %v", err) } err = syscall.Faccessat(_AT_FDCWD, "file1", _R_OK, 2) if err != syscall.EINVAL { t.Errorf("Faccessat: unexpected error: %v, want EINVAL", err) } err = syscall.Faccessat(_AT_FDCWD, "file1", _R_OK, _AT_EACCESS) if err != nil { t.Errorf("Faccessat: unexpected error: %v", err) } err = os.Symlink("file1", "symlink1") if err != nil { t.Fatal(err) } err = syscall.Faccessat(_AT_FDCWD, "symlink1", _R_OK, _AT_SYMLINK_NOFOLLOW) if err != nil { t.Errorf("Faccessat SYMLINK_NOFOLLOW: unexpected error %v", err) } // We can't really test _AT_SYMLINK_NOFOLLOW, because there // doesn't seem to be any way to change the mode of a symlink. // We don't test _AT_EACCESS because such tests are only // meaningful if run as root. err = syscall.Fchmodat(_AT_FDCWD, "file1", 0, 0) if err != nil { t.Errorf("Fchmodat: unexpected error %v", err) } err = syscall.Faccessat(_AT_FDCWD, "file1", _F_OK, _AT_SYMLINK_NOFOLLOW) if err != nil { t.Errorf("Faccessat: unexpected error: %v", err) } err = syscall.Faccessat(_AT_FDCWD, "file1", _R_OK, _AT_SYMLINK_NOFOLLOW) if err != syscall.EACCES { if syscall.Getuid() != 0 { t.Errorf("Faccessat: unexpected error: %v, want EACCES", err) } } } func TestFchmodat(t *testing.T) { defer chtmpdir(t)() touch(t, "file1") os.Symlink("file1", "symlink1") err := syscall.Fchmodat(_AT_FDCWD, "symlink1", 0444, 0) if err != nil { t.Fatalf("Fchmodat: unexpected error: %v", err) } fi, err := os.Stat("file1") if err != nil { t.Fatal(err) } if fi.Mode() != 0444 { t.Errorf("Fchmodat: failed to change mode: expected %v, got %v", 0444, fi.Mode()) } err = syscall.Fchmodat(_AT_FDCWD, "symlink1", 0444, _AT_SYMLINK_NOFOLLOW) if err != syscall.EOPNOTSUPP { t.Fatalf("Fchmodat: unexpected error: %v, expected EOPNOTSUPP", err) } } func TestMain(m *testing.M) { if os.Getenv("GO_DEATHSIG_PARENT") == "1" { deathSignalParent() } else if os.Getenv("GO_DEATHSIG_CHILD") == "1" { deathSignalChild() } else if os.Getenv("GO_SYSCALL_NOERROR") == "1" { syscallNoError() } os.Exit(m.Run()) } func TestParseNetlinkMessage(t *testing.T) { for i, b := range [][]byte{ {103, 0, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 2, 11, 0, 1, 0, 0, 0, 0, 5, 8, 0, 3, 0, 8, 0, 6, 0, 0, 0, 0, 1, 63, 0, 10, 0, 69, 16, 0, 59, 39, 82, 64, 0, 64, 6, 21, 89, 127, 0, 0, 1, 127, 0, 0, 1, 230, 228, 31, 144, 32, 186, 155, 211, 185, 151, 209, 179, 128, 24, 1, 86, 53, 119, 0, 0, 1, 1, 8, 10, 0, 17, 234, 12, 0, 17, 189, 126, 107, 106, 108, 107, 106, 13, 10, }, {106, 0, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 2, 11, 0, 1, 0, 0, 0, 0, 3, 8, 0, 3, 0, 8, 0, 6, 0, 0, 0, 0, 1, 66, 0, 10, 0, 69, 0, 0, 62, 230, 255, 64, 0, 64, 6, 85, 184, 127, 0, 0, 1, 127, 0, 0, 1, 237, 206, 31, 144, 73, 197, 128, 65, 250, 60, 192, 97, 128, 24, 1, 86, 253, 21, 0, 0, 1, 1, 8, 10, 0, 51, 106, 89, 0, 51, 102, 198, 108, 104, 106, 108, 107, 104, 108, 107, 104, 10, }, {102, 0, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 2, 11, 0, 1, 0, 0, 0, 0, 1, 8, 0, 3, 0, 8, 0, 6, 0, 0, 0, 0, 1, 62, 0, 10, 0, 69, 0, 0, 58, 231, 2, 64, 0, 64, 6, 85, 185, 127, 0, 0, 1, 127, 0, 0, 1, 237, 206, 31, 144, 73, 197, 128, 86, 250, 60, 192, 97, 128, 24, 1, 86, 104, 64, 0, 0, 1, 1, 8, 10, 0, 52, 198, 200, 0, 51, 135, 232, 101, 115, 97, 103, 103, 10, }, } { m, err := syscall.ParseNetlinkMessage(b) if err != syscall.EINVAL { t.Errorf("#%d: got %v; want EINVAL", i, err) } if m != nil { t.Errorf("#%d: got %v; want nil", i, m) } } } func TestSyscallNoError(t *testing.T) { // On Linux there are currently no syscalls which don't fail and return // a value larger than 0xfffffffffffff001 so we could test RawSyscall // vs. RawSyscallNoError on 64bit architectures. if unsafe.Sizeof(uintptr(0)) != 4 { t.Skip("skipping on non-32bit architecture") } // See https://golang.org/issue/35422 // On MIPS, Linux returns whether the syscall had an error in a separate // register (R7), not using a negative return value as on other // architectures. if runtime.GOARCH == "mips" || runtime.GOARCH == "mipsle" { t.Skipf("skipping on %s", runtime.GOARCH) } if os.Getuid() != 0 { t.Skip("skipping root only test") } if syscall.Sys_GETEUID == 0 { t.Skip("skipping because there is no geteuid system call") } if runtime.GOOS == "android" { t.Skip("skipping on rooted android, see issue 27364") } // Copy the test binary to a location that a non-root user can read/execute // after we drop privileges tempDir, err := os.MkdirTemp("", "TestSyscallNoError") if err != nil { t.Fatalf("cannot create temporary directory: %v", err) } defer os.RemoveAll(tempDir) os.Chmod(tempDir, 0755) tmpBinary := filepath.Join(tempDir, filepath.Base(os.Args[0])) src, err := os.Open(os.Args[0]) if err != nil { t.Fatalf("cannot open binary %q, %v", os.Args[0], err) } defer src.Close() dst, err := os.OpenFile(tmpBinary, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0755) if err != nil { t.Fatalf("cannot create temporary binary %q, %v", tmpBinary, err) } if _, err := io.Copy(dst, src); err != nil { t.Fatalf("failed to copy test binary to %q, %v", tmpBinary, err) } err = dst.Close() if err != nil { t.Fatalf("failed to close test binary %q, %v", tmpBinary, err) } uid := uint32(0xfffffffe) err = os.Chown(tmpBinary, int(uid), -1) if err != nil { t.Fatalf("failed to chown test binary %q, %v", tmpBinary, err) } err = os.Chmod(tmpBinary, 0755|fs.ModeSetuid) if err != nil { t.Fatalf("failed to set setuid bit on test binary %q, %v", tmpBinary, err) } cmd := exec.Command(tmpBinary) cmd.Env = append(os.Environ(), "GO_SYSCALL_NOERROR=1") out, err := cmd.CombinedOutput() if err != nil { t.Fatalf("failed to start first child process: %v", err) } got := strings.TrimSpace(string(out)) want := strconv.FormatUint(uint64(uid)+1, 10) + " / " + strconv.FormatUint(uint64(-uid), 10) + " / " + strconv.FormatUint(uint64(uid), 10) if got != want { if filesystemIsNoSUID(tmpBinary) { t.Skip("skipping test when temp dir is mounted nosuid") } // formatted so the values are aligned for easier comparison t.Errorf("expected %s,\ngot %s", want, got) } } // filesystemIsNoSUID reports whether the filesystem for the given // path is mounted nosuid. func filesystemIsNoSUID(path string) bool { var st syscall.Statfs_t if syscall.Statfs(path, &st) != nil { return false } return st.Flags&syscall.MS_NOSUID != 0 } func syscallNoError() { // Test that the return value from SYS_GETEUID32 (which cannot fail) // doesn't get treated as an error (see https://golang.org/issue/22924) euid1, _, e := syscall.RawSyscall(syscall.Sys_GETEUID, 0, 0, 0) euid2, _ := syscall.RawSyscallNoError(syscall.Sys_GETEUID, 0, 0, 0) fmt.Println(uintptr(euid1), "/", int(e), "/", uintptr(euid2)) os.Exit(0) } // reference uapi/linux/prctl.h const ( PR_GET_KEEPCAPS uintptr = 7 PR_SET_KEEPCAPS = 8 ) // TestAllThreadsSyscall tests that the go runtime can perform // syscalls that execute on all OSThreads - with which to support // POSIX semantics for security state changes. func TestAllThreadsSyscall(t *testing.T) { if _, _, err := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_KEEPCAPS, 0, 0); err == syscall.ENOTSUP { t.Skip("AllThreadsSyscall disabled with cgo") } fns := []struct { label string fn func(uintptr) error }{ { label: "prctl<3-args>", fn: func(v uintptr) error { _, _, e := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_KEEPCAPS, v, 0) if e != 0 { return e } return nil }, }, { label: "prctl<6-args>", fn: func(v uintptr) error { _, _, e := syscall.AllThreadsSyscall6(syscall.SYS_PRCTL, PR_SET_KEEPCAPS, v, 0, 0, 0, 0) if e != 0 { return e } return nil }, }, } waiter := func(q <-chan uintptr, r chan<- uintptr, once bool) { for x := range q { runtime.LockOSThread() v, _, e := syscall.Syscall(syscall.SYS_PRCTL, PR_GET_KEEPCAPS, 0, 0) if e != 0 { t.Errorf("tid=%d prctl(PR_GET_KEEPCAPS) failed: %v", syscall.Gettid(), e) } else if x != v { t.Errorf("tid=%d prctl(PR_GET_KEEPCAPS) mismatch: got=%d want=%d", syscall.Gettid(), v, x) } r <- v if once { break } runtime.UnlockOSThread() } } // launches per fns member. const launches = 11 question := make(chan uintptr) response := make(chan uintptr) defer close(question) routines := 0 for i, v := range fns { for j := 0; j < launches; j++ { // Add another goroutine - the closest thing // we can do to encourage more OS thread // creation - while the test is running. The // actual thread creation may or may not be // needed, based on the number of available // unlocked OS threads at the time waiter // calls runtime.LockOSThread(), but the goal // of doing this every time through the loop // is to race thread creation with v.fn(want) // being executed. Via the once boolean we // also encourage one in 5 waiters to return // locked after participating in only one // question response sequence. This allows the // test to race thread destruction too. once := routines%5 == 4 go waiter(question, response, once) // Keep a count of how many goroutines are // going to participate in the // question/response test. This will count up // towards 2*launches minus the count of // routines that have been invoked with // once=true. routines++ // Decide what value we want to set the // process-shared KEEPCAPS. Note, there is // an explicit repeat of 0 when we change the // variant of the syscall being used. want := uintptr(j & 1) // Invoke the AllThreadsSyscall* variant. if err := v.fn(want); err != nil { t.Errorf("[%d,%d] %s(PR_SET_KEEPCAPS, %d, ...): %v", i, j, v.label, j&1, err) } // At this point, we want all launched Go // routines to confirm that they see the // wanted value for KEEPCAPS. for k := 0; k < routines; k++ { question <- want } // At this point, we should have a large // number of locked OS threads all wanting to // reply. for k := 0; k < routines; k++ { if got := <-response; got != want { t.Errorf("[%d,%d,%d] waiter result got=%d, want=%d", i, j, k, got, want) } } // Provide an explicit opportunity for this Go // routine to change Ms. runtime.Gosched() if once { // One waiter routine will have exited. routines-- } // Whatever M we are now running on, confirm // we see the wanted value too. if v, _, e := syscall.Syscall(syscall.SYS_PRCTL, PR_GET_KEEPCAPS, 0, 0); e != 0 { t.Errorf("[%d,%d] prctl(PR_GET_KEEPCAPS) failed: %v", i, j, e) } else if v != want { t.Errorf("[%d,%d] prctl(PR_GET_KEEPCAPS) gave wrong value: got=%v, want=1", i, j, v) } } } } // compareStatus is used to confirm the contents of the thread // specific status files match expectations. func compareStatus(filter, expect string) error { expected := filter + expect pid := syscall.Getpid() fs, err := os.ReadDir(fmt.Sprintf("/proc/%d/task", pid)) if err != nil { return fmt.Errorf("unable to find %d tasks: %v", pid, err) } expectedProc := fmt.Sprintf("Pid:\t%d", pid) foundAThread := false for _, f := range fs { tf := fmt.Sprintf("/proc/%s/status", f.Name()) d, err := os.ReadFile(tf) if err != nil { // There are a surprising number of ways this // can error out on linux. We've seen all of // the following, so treat any error here as // equivalent to the "process is gone": // os.IsNotExist(err), // "... : no such process", // "... : bad file descriptor. continue } lines := strings.Split(string(d), "\n") for _, line := range lines { // Different kernel vintages pad differently. line = strings.TrimSpace(line) if strings.HasPrefix(line, "Pid:\t") { // On loaded systems, it is possible // for a TID to be reused really // quickly. As such, we need to // validate that the thread status // info we just read is a task of the // same process PID as we are // currently running, and not a // recently terminated thread // resurfaced in a different process. if line != expectedProc { break } // Fall through in the unlikely case // that filter at some point is // "Pid:\t". } if strings.HasPrefix(line, filter) { if line == expected { foundAThread = true break } if filter == "Groups:" && strings.HasPrefix(line, "Groups:\t") { // https://github.com/golang/go/issues/46145 // Containers don't reliably output this line in sorted order so manually sort and compare that. a := strings.Split(line[8:], " ") sort.Strings(a) got := strings.Join(a, " ") if got == expected[8:] { foundAThread = true break } } return fmt.Errorf("%q got:%q want:%q (bad) [pid=%d file:'%s' %v]\n", tf, line, expected, pid, string(d), expectedProc) } } } if !foundAThread { return fmt.Errorf("found no thread /proc//status files for process %q", expectedProc) } return nil } // killAThread locks the goroutine to an OS thread and exits; this // causes an OS thread to terminate. func killAThread(c <-chan struct{}) { runtime.LockOSThread() <-c return } // TestSetuidEtc performs tests on all of the wrapped system calls // that mirror to the 9 glibc syscalls with POSIX semantics. The test // here is considered authoritative and should compile and run // CGO_ENABLED=0 or 1. Note, there is an extended copy of this same // test in ../../misc/cgo/test/issue1435.go which requires // CGO_ENABLED=1 and launches pthreads from C that run concurrently // with the Go code of the test - and the test validates that these // pthreads are also kept in sync with the security state changed with // the syscalls. Care should be taken to mirror any enhancements to // this test here in that file too. func TestSetuidEtc(t *testing.T) { if syscall.Getuid() != 0 { t.Skip("skipping root only test") } vs := []struct { call string fn func() error filter, expect string }{ {call: "Setegid(1)", fn: func() error { return syscall.Setegid(1) }, filter: "Gid:", expect: "\t0\t1\t0\t1"}, {call: "Setegid(0)", fn: func() error { return syscall.Setegid(0) }, filter: "Gid:", expect: "\t0\t0\t0\t0"}, {call: "Seteuid(1)", fn: func() error { return syscall.Seteuid(1) }, filter: "Uid:", expect: "\t0\t1\t0\t1"}, {call: "Setuid(0)", fn: func() error { return syscall.Setuid(0) }, filter: "Uid:", expect: "\t0\t0\t0\t0"}, {call: "Setgid(1)", fn: func() error { return syscall.Setgid(1) }, filter: "Gid:", expect: "\t1\t1\t1\t1"}, {call: "Setgid(0)", fn: func() error { return syscall.Setgid(0) }, filter: "Gid:", expect: "\t0\t0\t0\t0"}, {call: "Setgroups([]int{0,1,2,3})", fn: func() error { return syscall.Setgroups([]int{0, 1, 2, 3}) }, filter: "Groups:", expect: "\t0 1 2 3"}, {call: "Setgroups(nil)", fn: func() error { return syscall.Setgroups(nil) }, filter: "Groups:", expect: ""}, {call: "Setgroups([]int{0})", fn: func() error { return syscall.Setgroups([]int{0}) }, filter: "Groups:", expect: "\t0"}, {call: "Setregid(101,0)", fn: func() error { return syscall.Setregid(101, 0) }, filter: "Gid:", expect: "\t101\t0\t0\t0"}, {call: "Setregid(0,102)", fn: func() error { return syscall.Setregid(0, 102) }, filter: "Gid:", expect: "\t0\t102\t102\t102"}, {call: "Setregid(0,0)", fn: func() error { return syscall.Setregid(0, 0) }, filter: "Gid:", expect: "\t0\t0\t0\t0"}, {call: "Setreuid(1,0)", fn: func() error { return syscall.Setreuid(1, 0) }, filter: "Uid:", expect: "\t1\t0\t0\t0"}, {call: "Setreuid(0,2)", fn: func() error { return syscall.Setreuid(0, 2) }, filter: "Uid:", expect: "\t0\t2\t2\t2"}, {call: "Setreuid(0,0)", fn: func() error { return syscall.Setreuid(0, 0) }, filter: "Uid:", expect: "\t0\t0\t0\t0"}, {call: "Setresgid(101,0,102)", fn: func() error { return syscall.Setresgid(101, 0, 102) }, filter: "Gid:", expect: "\t101\t0\t102\t0"}, {call: "Setresgid(0,102,101)", fn: func() error { return syscall.Setresgid(0, 102, 101) }, filter: "Gid:", expect: "\t0\t102\t101\t102"}, {call: "Setresgid(0,0,0)", fn: func() error { return syscall.Setresgid(0, 0, 0) }, filter: "Gid:", expect: "\t0\t0\t0\t0"}, {call: "Setresuid(1,0,2)", fn: func() error { return syscall.Setresuid(1, 0, 2) }, filter: "Uid:", expect: "\t1\t0\t2\t0"}, {call: "Setresuid(0,2,1)", fn: func() error { return syscall.Setresuid(0, 2, 1) }, filter: "Uid:", expect: "\t0\t2\t1\t2"}, {call: "Setresuid(0,0,0)", fn: func() error { return syscall.Setresuid(0, 0, 0) }, filter: "Uid:", expect: "\t0\t0\t0\t0"}, } for i, v := range vs { // Generate some thread churn as we execute the tests. c := make(chan struct{}) go killAThread(c) close(c) if err := v.fn(); err != nil { t.Errorf("[%d] %q failed: %v", i, v.call, err) continue } if err := compareStatus(v.filter, v.expect); err != nil { t.Errorf("[%d] %q comparison: %v", i, v.call, err) } } } // TestAllThreadsSyscallError verifies that errors are properly returned when // the syscall fails on the original thread. func TestAllThreadsSyscallError(t *testing.T) { // SYS_CAPGET takes pointers as the first two arguments. Since we pass // 0, we expect to get EFAULT back. r1, r2, err := syscall.AllThreadsSyscall(syscall.SYS_CAPGET, 0, 0, 0) if err == syscall.ENOTSUP { t.Skip("AllThreadsSyscall disabled with cgo") } if err != syscall.EFAULT { t.Errorf("AllThreadSyscall(SYS_CAPGET) got %d, %d, %v, want err %v", r1, r2, err, syscall.EFAULT) } } // TestAllThreadsSyscallBlockedSyscall confirms that AllThreadsSyscall // can interrupt threads in long-running system calls. This test will // deadlock if this doesn't work correctly. func TestAllThreadsSyscallBlockedSyscall(t *testing.T) { if _, _, err := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_KEEPCAPS, 0, 0); err == syscall.ENOTSUP { t.Skip("AllThreadsSyscall disabled with cgo") } rd, wr, err := os.Pipe() if err != nil { t.Fatalf("unable to obtain a pipe: %v", err) } // Perform a blocking read on the pipe. var wg sync.WaitGroup ready := make(chan bool) wg.Add(1) go func() { data := make([]byte, 1) // To narrow the window we have to wait for this // goroutine to block in read, synchronize just before // calling read. ready <- true // We use syscall.Read directly to avoid the poller. // This will return when the write side is closed. n, err := syscall.Read(int(rd.Fd()), data) if !(n == 0 && err == nil) { t.Errorf("expected read to return 0, got %d, %s", n, err) } // Clean up rd and also ensure rd stays reachable so // it doesn't get closed by GC. rd.Close() wg.Done() }() <-ready // Loop here to give the goroutine more time to block in read. // Generally this will trigger on the first iteration anyway. pid := syscall.Getpid() for i := 0; i < 100; i++ { if id, _, e := syscall.AllThreadsSyscall(syscall.SYS_GETPID, 0, 0, 0); e != 0 { t.Errorf("[%d] getpid failed: %v", i, e) } else if int(id) != pid { t.Errorf("[%d] getpid got=%d, want=%d", i, id, pid) } // Provide an explicit opportunity for this goroutine // to change Ms. runtime.Gosched() } wr.Close() wg.Wait() }