[supervisor] execve into ring3

Christian Weichel · Christian Weichel · commit ef66ca19a1aa · 2021-01-08T15:58:39.000+01:00
diff --git a/components/supervisor/BUILD.yaml b/components/supervisor/BUILD.yaml
@@ -18,6 +18,10 @@ packages:
     config:
       buildFlags:
         - "-ldflags=-w"
+      # build with >= go1.16beta1 to make libcap work without CGO. See
+      # - https://pkg.go.dev/kernel.org/pub/linux/libs/security/libcap/cap, search for allthreadssyscall
+      # - https://github.com/golang/go/issues/1435
+      goVersion: go1.16beta1
   - name: docker
     type: docker
     srcs:
diff --git a/components/supervisor/cmd/rings.go b/components/supervisor/cmd/rings.go
@@ -24,6 +24,7 @@ import (
 	sigproxysignal "github.com/rootless-containers/rootlesskit/pkg/sigproxy/signal"
 	"github.com/spf13/cobra"
 	"golang.org/x/sys/unix"
+	"kernel.org/pub/linux/libs/security/libcap/cap"
 )
 
 const (
@@ -364,29 +365,21 @@ var ring2Cmd = &cobra.Command{
 			return
 		}
 
-		cmd := exec.Command("/proc/self/exe", "run", "--inns")
-		cmd.SysProcAttr = &syscall.SysProcAttr{
-			Pdeathsig: syscall.SIGKILL,
-			Credential: &syscall.Credential{
-				Uid: 33333,
-				Gid: 33333,
-			},
+		err = cap.SetGroups(33333)
+		if err != nil {
+			log.WithError(err).Error("cannot setgid")
+			failed = true
+			return
 		}
-		cmd.Stdin = os.Stdin
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		cmd.Env = os.Environ()
-		if err := cmd.Start(); err != nil {
-			log.WithError(err).Error("failed to start the child process")
+		err = cap.SetUID(33333)
+		if err != nil {
+			log.WithError(err).Error("cannot setuid")
 			failed = true
 			return
 		}
-		sigc := sigproxy.ForwardAllSignals(context.Background(), cmd.Process.Pid)
-		defer sigproxysignal.StopCatch(sigc)
-
-		err = cmd.Wait()
+		err = unix.Exec("/proc/self/exe", []string{"supervisor", "run", "--inns"}, os.Environ())
 		if err != nil {
-			log.WithError(err).Error("unexpected exit")
+			log.WithError(err).Error("cannot exec")
 			failed = true
 			return
 		}
diff --git a/components/supervisor/go.mod b/components/supervisor/go.mod
@@ -28,6 +28,7 @@ require (
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
 	google.golang.org/grpc v1.34.0
 	google.golang.org/grpc/examples v0.0.0-20200902210233-8630cac324bf // indirect
+	kernel.org/pub/linux/libs/security/libcap/cap v0.2.46
 )
 
 replace github.com/gitpod-io/gitpod/common-go => ../common-go // leeway
diff --git a/components/supervisor/go.sum b/components/supervisor/go.sum
@@ -724,6 +724,10 @@ k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
 k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0=
 k8s.io/utils v0.0.0-20191030222137-2b95a09bc58d/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
+kernel.org/pub/linux/libs/security/libcap/cap v0.2.46 h1:2my+JWsYxD0mFKUbqgtEf7r9A0m/fCMUv21RGgknTiU=
+kernel.org/pub/linux/libs/security/libcap/cap v0.2.46/go.mod h1:Xni6/5rCuzPoHAac5sCFMuDxz9FuI8GTUyQ4qlw3e0w=
+kernel.org/pub/linux/libs/security/libcap/psx v0.2.46 h1:9GvXrCSQAcgQ3zZVxRN8K866o1aAY1DYdXj0vHIHvYA=
+kernel.org/pub/linux/libs/security/libcap/psx v0.2.46/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
diff --git a/components/ws-daemon/go.sum b/components/ws-daemon/go.sum
@@ -397,6 +397,7 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
@@ -718,8 +719,6 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.32.0 h1:zWTV+LMdc3kaiJMSTOFz2UgSBgx8RNQoTGiZu3fR9S0=
-google.golang.org/grpc v1.32.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.34.0 h1:raiipEjMOIC/TO2AvyTxP25XFdLxNIBwzDh3FM3XztI=
 google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ require (`
`28`	`28`	`golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1`
`29`	`29`	`google.golang.org/grpc v1.34.0`
`30`	`30`	`google.golang.org/grpc/examples v0.0.0-20200902210233-8630cac324bf // indirect`
	`31`	`+ kernel.org/pub/linux/libs/security/libcap/cap v0.2.46`
`31`	`32`	`)`
`32`	`33`
`33`	`34`	`replace github.com/gitpod-io/gitpod/common-go => ../common-go // leeway`