summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--osutil/isolate.go17
1 files changed, 17 insertions, 0 deletions
diff --git a/osutil/isolate.go b/osutil/isolate.go
index 387df905..9eaf8a44 100644
--- a/osutil/isolate.go
+++ b/osutil/isolate.go
@@ -3,6 +3,8 @@
package osutil
import (
+ "fmt"
+ "os"
"os/exec"
"os/user"
"strconv"
@@ -14,6 +16,7 @@ func IsolateProcess(cmd *exec.Cmd) {
cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true, Pgid: 0}
}
+// ExecuteFromUser may work only if run RR under root user
func ExecuteFromUser(cmd *exec.Cmd, u string) error {
usr, err := user.Lookup(u)
if err != nil {
@@ -30,6 +33,20 @@ func ExecuteFromUser(cmd *exec.Cmd, u string) error {
return err
}
+ // For more information:
+ // https://www.man7.org/linux/man-pages/man7/user_namespaces.7.html
+ // https://www.man7.org/linux/man-pages/man7/namespaces.7.html
+ if _, err := os.Stat("/proc/self/ns/user"); err != nil {
+ if os.IsNotExist(err) {
+ return fmt.Errorf("kernel doesn't support user namespaces")
+ }
+ if os.IsPermission(err) {
+ return fmt.Errorf("unable to test user namespaces due to permissions")
+ }
+
+ return fmt.Errorf("failed to stat /proc/self/ns/user: %v", err)
+ }
+
cmd.SysProcAttr.Credential = &syscall.Credential{
Uid: uint32(usrI32),
Gid: uint32(grI32),
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-23 13:26:38 +0000