// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// +build linux

package syscall

import (
	
	
)

// SysProcIDMap holds Container ID to Host ID mappings used for User Namespaces in Linux.
// See user_namespaces(7).
type SysProcIDMap struct {
	ContainerID int // Container ID.
	HostID      int // Host ID.
	Size        int // Size.
}

type SysProcAttr struct {
	Chroot     string      // Chroot.
	Credential *Credential // Credential.
	// Ptrace tells the child to call ptrace(PTRACE_TRACEME).
	// Call runtime.LockOSThread before starting a process with this set,
	// and don't call UnlockOSThread until done with PtraceSyscall calls.
	Ptrace bool
	Setsid bool // Create session.
	// Setpgid sets the process group ID of the child to Pgid,
	// or, if Pgid == 0, to the new child's process ID.
	Setpgid bool
	// Setctty sets the controlling terminal of the child to
	// file descriptor Ctty. Ctty must be a descriptor number
	// in the child process: an index into ProcAttr.Files.
	// This is only meaningful if Setsid is true.
	Setctty bool
	Noctty  bool // Detach fd 0 from controlling terminal
	Ctty    int  // Controlling TTY fd
	// Foreground places the child process group in the foreground.
	// This implies Setpgid. The Ctty field must be set to
	// the descriptor of the controlling TTY.
	// Unlike Setctty, in this case Ctty must be a descriptor
	// number in the parent process.
	Foreground   bool
	Pgid         int            // Child's process group ID if Setpgid.
	Pdeathsig    Signal         // Signal that the process will get when its parent dies (Linux only)
	Cloneflags   uintptr        // Flags for clone calls (Linux only)
	Unshareflags uintptr        // Flags for unshare calls (Linux only)
	UidMappings  []SysProcIDMap // User ID mappings for user namespaces.
	GidMappings  []SysProcIDMap // Group ID mappings for user namespaces.
	// GidMappingsEnableSetgroups enabling setgroups syscall.
	// If false, then setgroups syscall will be disabled for the child process.
	// This parameter is no-op if GidMappings == nil. Otherwise for unprivileged
	// users this should be set to false for mappings work.
	GidMappingsEnableSetgroups bool
	AmbientCaps                []uintptr // Ambient capabilities (Linux only)
}

var (
	none  = [...]byte{'n', 'o', 'n', 'e', 0}
	slash = [...]byte{'/', 0}
)

// Implemented in runtime package.
func ()
func ()
func ()

// Fork, dup fd onto 0..len(fd), and exec(argv0, argvv, envv) in child.
// If a dup or exec fails, write the errno error to pipe.
// (Pipe is close-on-exec so if exec succeeds, it will be closed.)
// In the child, this function must not acquire any locks, because
// they might have been locked at the time of the fork. This means
// no rescheduling, no malloc calls, and no new stack segments.
// For the same reason compiler does not race instrument it.
// The calls to RawSyscall are okay because they are assembly
// functions that do not grow the stack.
//go:norace
func ( *byte, ,  []*byte, ,  *byte,  *ProcAttr,  *SysProcAttr,  int) ( int,  Errno) {
	// Set up and fork. This returns immediately in the parent or
	// if there's an error.
	, , ,  := forkAndExecInChild1(, , , , , , , )
	if  {
		runtime_AfterFork()
	}
	if  != 0 {
		return 0, 
	}

	// parent; return PID
	 = int()

	if .UidMappings != nil || .GidMappings != nil {
		Close([0])
		var  Errno
		// uid/gid mappings will be written after fork and unshare(2) for user
		// namespaces.
		if .Unshareflags&CLONE_NEWUSER == 0 {
			if  := writeUidGidMappings(, );  != nil {
				 = .(Errno)
			}
		}
		RawSyscall(SYS_WRITE, uintptr([1]), uintptr(unsafe.Pointer(&)), unsafe.Sizeof())
		Close([1])
	}

	return , 0
}

const _LINUX_CAPABILITY_VERSION_3 = 0x20080522

type capHeader struct {
	version uint32
	pid     int32
}

type capData struct {
	effective   uint32
	permitted   uint32
	inheritable uint32
}
type caps struct {
	hdr  capHeader
	data [2]capData
}

// See CAP_TO_INDEX in linux/capability.h:
func ( uintptr) uintptr { return  >> 5 }

// See CAP_TO_MASK in linux/capability.h:
func ( uintptr) uint32 { return 1 << uint(&31) }

// forkAndExecInChild1 implements the body of forkAndExecInChild up to
// the parent's post-fork path. This is a separate function so we can
// separate the child's and parent's stack frames if we're using
// vfork.
//
// This is go:noinline because the point is to keep the stack frames
// of this and forkAndExecInChild separate.
//
//go:noinline
//go:norace
func ( *byte, ,  []*byte, ,  *byte,  *ProcAttr,  *SysProcAttr,  int) ( uintptr,  Errno,  [2]int,  bool) {
	// Defined in linux/prctl.h starting with Linux 4.3.
	const (
		       = 0x2f
		 = 0x2
	)

	// vfork requires that the child not touch any of the parent's
	// active stack frames. Hence, the child does all post-fork
	// processing in this stack frame and never returns, while the
	// parent returns immediately from this frame and does all
	// post-fork processing in the outer frame.
	// Declare all variables at top in case any
	// declarations require heap allocation (e.g., err1).
	var (
		                      Errno
		                    int
		                         int
		                      caps
		                       uintptr
		, ,     []byte
		, ,  []byte
	)

	if .UidMappings != nil {
		 = []byte("/proc/self/uid_map\000")
		 = formatIDMappings(.UidMappings)
	}

	if .GidMappings != nil {
		 = []byte("/proc/self/setgroups\000")
		 = []byte("/proc/self/gid_map\000")

		if .GidMappingsEnableSetgroups {
			 = []byte("allow\000")
		} else {
			 = []byte("deny\000")
		}
		 = formatIDMappings(.GidMappings)
	}

	// Record parent PID so child can test if it has died.
	,  := rawSyscallNoError(SYS_GETPID, 0, 0, 0)

	// Guard against side effects of shuffling fds below.
	// Make sure that nextfd is beyond any currently open files so
	// that we can't run the risk of overwriting any of them.
	 := make([]int, len(.Files))
	 = len(.Files)
	for ,  := range .Files {
		if  < int() {
			 = int()
		}
		[] = int()
	}
	++

	// Allocate another pipe for parent to child communication for
	// synchronizing writing of User ID/Group ID mappings.
	if .UidMappings != nil || .GidMappings != nil {
		if  := forkExecPipe([:]);  != nil {
			 = .(Errno)
			return
		}
	}

	var  bool
	switch runtime.GOARCH {
	case "amd64", "arm64", "ppc64", "riscv64", "s390x":
		 = true
	}

	// About to call fork.
	// No more allocation or calls of non-assembly functions.
	runtime_BeforeFork()
	 = true
	switch {
	case  && (.Cloneflags&CLONE_NEWUSER == 0 && .Unshareflags&CLONE_NEWUSER == 0):
		,  = rawVforkSyscall(SYS_CLONE, uintptr(SIGCHLD|CLONE_VFORK|CLONE_VM)|.Cloneflags)
	case runtime.GOARCH == "s390x":
		, _,  = RawSyscall6(SYS_CLONE, 0, uintptr(SIGCHLD)|.Cloneflags, 0, 0, 0, 0)
	default:
		, _,  = RawSyscall6(SYS_CLONE, uintptr(SIGCHLD)|.Cloneflags, 0, 0, 0, 0, 0)
	}
	if  != 0 ||  != 0 {
		// If we're in the parent, we must return immediately
		// so we're not in the same stack frame as the child.
		// This can at most use the return PC, which the child
		// will not modify, and the results of
		// rawVforkSyscall, which must have been written after
		// the child was replaced.
		return
	}

	// Fork succeeded, now in child.

	runtime_AfterForkInChild()

	// Enable the "keep capabilities" flag to set ambient capabilities later.
	if len(.AmbientCaps) > 0 {
		_, _,  = RawSyscall6(SYS_PRCTL, PR_SET_KEEPCAPS, 1, 0, 0, 0, 0)
		if  != 0 {
			goto 
		}
	}

	// Wait for User ID/Group ID mappings to be written.
	if .UidMappings != nil || .GidMappings != nil {
		if _, _,  = RawSyscall(SYS_CLOSE, uintptr([1]), 0, 0);  != 0 {
			goto 
		}
		, _,  = RawSyscall(SYS_READ, uintptr([0]), uintptr(unsafe.Pointer(&)), unsafe.Sizeof())
		if  != 0 {
			goto 
		}
		if  != unsafe.Sizeof() {
			 = EINVAL
			goto 
		}
		if  != 0 {
			 = 
			goto 
		}
	}

	// Session ID
	if .Setsid {
		_, _,  = RawSyscall(SYS_SETSID, 0, 0, 0)
		if  != 0 {
			goto 
		}
	}

	// Set process group
	if .Setpgid || .Foreground {
		// Place child in process group.
		_, _,  = RawSyscall(SYS_SETPGID, 0, uintptr(.Pgid), 0)
		if  != 0 {
			goto 
		}
	}

	if .Foreground {
		 := int32(.Pgid)
		if  == 0 {
			, _ = rawSyscallNoError(SYS_GETPID, 0, 0, 0)

			 = int32()
		}

		// Place process group in foreground.
		_, _,  = RawSyscall(SYS_IOCTL, uintptr(.Ctty), uintptr(TIOCSPGRP), uintptr(unsafe.Pointer(&)))
		if  != 0 {
			goto 
		}
	}

	// Unshare
	if .Unshareflags != 0 {
		_, _,  = RawSyscall(SYS_UNSHARE, .Unshareflags, 0, 0)
		if  != 0 {
			goto 
		}

		if .Unshareflags&CLONE_NEWUSER != 0 && .GidMappings != nil {
			 := int(_AT_FDCWD)
			if , _,  = RawSyscall6(SYS_OPENAT, uintptr(), uintptr(unsafe.Pointer(&[0])), uintptr(O_WRONLY), 0, 0, 0);  != 0 {
				goto 
			}
			, _,  = RawSyscall(SYS_WRITE, uintptr(), uintptr(unsafe.Pointer(&[0])), uintptr(len()))
			if  != 0 {
				goto 
			}
			if _, _,  = RawSyscall(SYS_CLOSE, uintptr(), 0, 0);  != 0 {
				goto 
			}

			if , _,  = RawSyscall6(SYS_OPENAT, uintptr(), uintptr(unsafe.Pointer(&[0])), uintptr(O_WRONLY), 0, 0, 0);  != 0 {
				goto 
			}
			, _,  = RawSyscall(SYS_WRITE, uintptr(), uintptr(unsafe.Pointer(&[0])), uintptr(len()))
			if  != 0 {
				goto 
			}
			if _, _,  = RawSyscall(SYS_CLOSE, uintptr(), 0, 0);  != 0 {
				goto 
			}
		}

		if .Unshareflags&CLONE_NEWUSER != 0 && .UidMappings != nil {
			 := int(_AT_FDCWD)
			if , _,  = RawSyscall6(SYS_OPENAT, uintptr(), uintptr(unsafe.Pointer(&[0])), uintptr(O_WRONLY), 0, 0, 0);  != 0 {
				goto 
			}
			, _,  = RawSyscall(SYS_WRITE, uintptr(), uintptr(unsafe.Pointer(&[0])), uintptr(len()))
			if  != 0 {
				goto 
			}
			if _, _,  = RawSyscall(SYS_CLOSE, uintptr(), 0, 0);  != 0 {
				goto 
			}
		}

		// The unshare system call in Linux doesn't unshare mount points
		// mounted with --shared. Systemd mounts / with --shared. For a
		// long discussion of the pros and cons of this see debian bug 739593.
		// The Go model of unsharing is more like Plan 9, where you ask
		// to unshare and the namespaces are unconditionally unshared.
		// To make this model work we must further mark / as MS_PRIVATE.
		// This is what the standard unshare command does.
		if .Unshareflags&CLONE_NEWNS == CLONE_NEWNS {
			_, _,  = RawSyscall6(SYS_MOUNT, uintptr(unsafe.Pointer(&none[0])), uintptr(unsafe.Pointer(&slash[0])), 0, MS_REC|MS_PRIVATE, 0, 0)
			if  != 0 {
				goto 
			}
		}
	}

	// Chroot
	if  != nil {
		_, _,  = RawSyscall(SYS_CHROOT, uintptr(unsafe.Pointer()), 0, 0)
		if  != 0 {
			goto 
		}
	}

	// User and groups
	if  := .Credential;  != nil {
		 := uintptr(len(.Groups))
		 := uintptr(0)
		if  > 0 {
			 = uintptr(unsafe.Pointer(&.Groups[0]))
		}
		if !(.GidMappings != nil && !.GidMappingsEnableSetgroups &&  == 0) && !.NoSetGroups {
			_, _,  = RawSyscall(_SYS_setgroups, , , 0)
			if  != 0 {
				goto 
			}
		}
		_, _,  = RawSyscall(sys_SETGID, uintptr(.Gid), 0, 0)
		if  != 0 {
			goto 
		}
		_, _,  = RawSyscall(sys_SETUID, uintptr(.Uid), 0, 0)
		if  != 0 {
			goto 
		}
	}

	if len(.AmbientCaps) != 0 {
		// Ambient capabilities were added in the 4.3 kernel,
		// so it is safe to always use _LINUX_CAPABILITY_VERSION_3.
		.hdr.version = _LINUX_CAPABILITY_VERSION_3

		if , ,  := RawSyscall(SYS_CAPGET, uintptr(unsafe.Pointer(&.hdr)), uintptr(unsafe.Pointer(&.data[0])), 0);  != 0 {
			goto 
		}

		for ,  := range .AmbientCaps {
			// Add the c capability to the permitted and inheritable capability mask,
			// otherwise we will not be able to add it to the ambient capability mask.
			.data[capToIndex()].permitted |= capToMask()
			.data[capToIndex()].inheritable |= capToMask()
		}

		if , ,  := RawSyscall(SYS_CAPSET, uintptr(unsafe.Pointer(&.hdr)), uintptr(unsafe.Pointer(&.data[0])), 0);  != 0 {
			goto 
		}

		for ,  := range .AmbientCaps {
			_, _,  = RawSyscall6(SYS_PRCTL, , uintptr(), , 0, 0, 0)
			if  != 0 {
				goto 
			}
		}
	}

	// Chdir
	if  != nil {
		_, _,  = RawSyscall(SYS_CHDIR, uintptr(unsafe.Pointer()), 0, 0)
		if  != 0 {
			goto 
		}
	}

	// Parent death signal
	if .Pdeathsig != 0 {
		_, _,  = RawSyscall6(SYS_PRCTL, PR_SET_PDEATHSIG, uintptr(.Pdeathsig), 0, 0, 0, 0)
		if  != 0 {
			goto 
		}

		// Signal self if parent is already dead. This might cause a
		// duplicate signal in rare cases, but it won't matter when
		// using SIGKILL.
		, _ = rawSyscallNoError(SYS_GETPPID, 0, 0, 0)
		if  !=  {
			,  := rawSyscallNoError(SYS_GETPID, 0, 0, 0)
			, ,  := RawSyscall(SYS_KILL, , uintptr(.Pdeathsig), 0)
			if  != 0 {
				goto 
			}
		}
	}

	// Pass 1: look for fd[i] < i and move those up above len(fd)
	// so that pass 2 won't stomp on an fd it needs later.
	if  <  {
		_, _,  = RawSyscall(SYS_DUP3, uintptr(), uintptr(), O_CLOEXEC)
		if _SYS_dup != SYS_DUP3 &&  == ENOSYS {
			_, _,  = RawSyscall(_SYS_dup, uintptr(), uintptr(), 0)
			if  != 0 {
				goto 
			}
			RawSyscall(fcntl64Syscall, uintptr(), F_SETFD, FD_CLOEXEC)
		} else if  != 0 {
			goto 
		}
		 = 
		++
	}
	for  = 0;  < len(); ++ {
		if [] >= 0 && [] < int() {
			if  ==  { // don't stomp on pipe
				++
			}
			_, _,  = RawSyscall(SYS_DUP3, uintptr([]), uintptr(), O_CLOEXEC)
			if _SYS_dup != SYS_DUP3 &&  == ENOSYS {
				_, _,  = RawSyscall(_SYS_dup, uintptr([]), uintptr(), 0)
				if  != 0 {
					goto 
				}
				RawSyscall(fcntl64Syscall, uintptr(), F_SETFD, FD_CLOEXEC)
			} else if  != 0 {
				goto 
			}
			[] = 
			++
		}
	}

	// Pass 2: dup fd[i] down onto i.
	for  = 0;  < len(); ++ {
		if [] == -1 {
			RawSyscall(SYS_CLOSE, uintptr(), 0, 0)
			continue
		}
		if [] == int() {
			// dup2(i, i) won't clear close-on-exec flag on Linux,
			// probably not elsewhere either.
			_, _,  = RawSyscall(fcntl64Syscall, uintptr([]), F_SETFD, 0)
			if  != 0 {
				goto 
			}
			continue
		}
		// The new fd is created NOT close-on-exec,
		// which is exactly what we want.
		_, _,  = RawSyscall(_SYS_dup, uintptr([]), uintptr(), 0)
		if  != 0 {
			goto 
		}
	}

	// By convention, we don't close-on-exec the fds we are
	// started with, so if len(fd) < 3, close 0, 1, 2 as needed.
	// Programs that know they inherit fds >= 3 will need
	// to set them close-on-exec.
	for  = len();  < 3; ++ {
		RawSyscall(SYS_CLOSE, uintptr(), 0, 0)
	}

	// Detach fd 0 from tty
	if .Noctty {
		_, _,  = RawSyscall(SYS_IOCTL, 0, uintptr(TIOCNOTTY), 0)
		if  != 0 {
			goto 
		}
	}

	// Set the controlling TTY to Ctty
	if .Setctty {
		_, _,  = RawSyscall(SYS_IOCTL, uintptr(.Ctty), uintptr(TIOCSCTTY), 1)
		if  != 0 {
			goto 
		}
	}

	// Enable tracing if requested.
	// Do this right before exec so that we don't unnecessarily trace the runtime
	// setting up after the fork. See issue #21428.
	if .Ptrace {
		_, _,  = RawSyscall(SYS_PTRACE, uintptr(PTRACE_TRACEME), 0, 0)
		if  != 0 {
			goto 
		}
	}

	// Time to exec.
	_, _,  = RawSyscall(SYS_EXECVE,
		uintptr(unsafe.Pointer()),
		uintptr(unsafe.Pointer(&[0])),
		uintptr(unsafe.Pointer(&[0])))

:
	// send error code on pipe
	RawSyscall(SYS_WRITE, uintptr(), uintptr(unsafe.Pointer(&)), unsafe.Sizeof())
	for {
		RawSyscall(SYS_EXIT, 253, 0, 0)
	}
}

// Try to open a pipe with O_CLOEXEC set on both file descriptors.
func ( []int) ( error) {
	 = Pipe2(, O_CLOEXEC)
	// pipe2 was added in 2.6.27 and our minimum requirement is 2.6.23, so it
	// might not be implemented.
	if  == ENOSYS {
		if  = Pipe();  != nil {
			return
		}
		if _,  = fcntl([0], F_SETFD, FD_CLOEXEC);  != nil {
			return
		}
		_,  = fcntl([1], F_SETFD, FD_CLOEXEC)
	}
	return
}

func ( []SysProcIDMap) []byte {
	var  []byte
	for ,  := range  {
		 = append(, []byte(itoa(.ContainerID)+" "+itoa(.HostID)+" "+itoa(.Size)+"\n")...)
	}
	return 
}

// writeIDMappings writes the user namespace User ID or Group ID mappings to the specified path.
func ( string,  []SysProcIDMap) error {
	,  := Open(, O_RDWR, 0)
	if  != nil {
		return 
	}

	if ,  := Write(, formatIDMappings());  != nil {
		Close()
		return 
	}

	if  := Close();  != nil {
		return 
	}

	return nil
}

// writeSetgroups writes to /proc/PID/setgroups "deny" if enable is false
// and "allow" if enable is true.
// This is needed since kernel 3.19, because you can't write gid_map without
// disabling setgroups() system call.
func ( int,  bool) error {
	 := "/proc/" + itoa() + "/setgroups"
	,  := Open(, O_RDWR, 0)
	if  != nil {
		return 
	}

	var  []byte
	if  {
		 = []byte("allow")
	} else {
		 = []byte("deny")
	}

	if ,  := Write(, );  != nil {
		Close()
		return 
	}

	return Close()
}

// writeUidGidMappings writes User ID and Group ID mappings for user namespaces
// for a process and it is called from the parent process.
func ( int,  *SysProcAttr) error {
	if .UidMappings != nil {
		 := "/proc/" + itoa() + "/uid_map"
		if  := writeIDMappings(, .UidMappings);  != nil {
			return 
		}
	}

	if .GidMappings != nil {
		// If the kernel is too old to support /proc/PID/setgroups, writeSetGroups will return ENOENT; this is OK.
		if  := writeSetgroups(, .GidMappingsEnableSetgroups);  != nil &&  != ENOENT {
			return 
		}
		 := "/proc/" + itoa() + "/gid_map"
		if  := writeIDMappings(, .GidMappings);  != nil {
			return 
		}
	}

	return nil
}