diff options
| author | Valery Piashchynski <[email protected]> | 2020-10-13 13:55:20 +0300 |
|---|---|---|
| committer | Valery Piashchynski <[email protected]> | 2020-10-13 13:55:20 +0300 |
| commit | 0dc44d54cfcc9dd3fa09a41136f35a9a8d26b994 (patch) | |
| tree | ffcb65010bebe9f5b5436192979e64b2402a6ec0 /util/isolate.go | |
| parent | 08d6b6b7f773f83b286cd48c1a0fbec9a62fb42b (diff) | |
Initial commit of RR 2.0v2.0.0-alpha1
Diffstat (limited to 'util/isolate.go')
| -rw-r--r-- | util/isolate.go | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/util/isolate.go b/util/isolate.go new file mode 100644 index 00000000..005c430e --- /dev/null +++ b/util/isolate.go @@ -0,0 +1,56 @@ +// +build !windows + +package util + +import ( + "fmt" + "os" + "os/exec" + "os/user" + "strconv" + "syscall" +) + +// IsolateProcess change gpid for the process to avoid bypassing signals to php processes. +func IsolateProcess(cmd *exec.Cmd) { + cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true, Pgid: 0} +} + +// ExecuteFromUser may work only if run RR under root user +func ExecuteFromUser(cmd *exec.Cmd, u string) error { + usr, err := user.Lookup(u) + if err != nil { + return err + } + + usrI32, err := strconv.Atoi(usr.Uid) + if err != nil { + return err + } + + grI32, err := strconv.Atoi(usr.Gid) + if err != nil { + return err + } + + // For more information: + // https://www.man7.org/linux/man-pages/man7/user_namespaces.7.html + // https://www.man7.org/linux/man-pages/man7/namespaces.7.html + if _, err := os.Stat("/proc/self/ns/user"); err != nil { + if os.IsNotExist(err) { + return fmt.Errorf("kernel doesn't support user namespaces") + } + if os.IsPermission(err) { + return fmt.Errorf("unable to test user namespaces due to permissions") + } + + return fmt.Errorf("failed to stat /proc/self/ns/user: %v", err) + } + + cmd.SysProcAttr.Credential = &syscall.Credential{ + Uid: uint32(usrI32), + Gid: uint32(grI32), + } + + return nil +} |