| commit | 467f32d8087fed11bd480ec5112bf1228b63053d | [log] [tgz] |
|---|---|---|
| author | George Prekas <george@enfabrica.net> | Mon May 16 02:49:12 2022 -0700 |
| committer | Copybara-Service <copybara-worker@google.com> | Mon May 16 02:50:36 2022 -0700 |
| tree | 228ffaa5d7a86eaadabf090050992d27b692f4df | |
| parent | 6bad1a123ced4d0e9b2103e50c61c2d216873fc7 [diff] |
linux-sandbox: do not treat large user IDs as negative numbers
The code writes into /proc/self/uid_map the user ID as a signed integer
but a user ID is an unsigned integer. Large user IDs are printed as
negative numbers and the linux-sandbox fails.
Signed-off-by: George Prekas <george@enfabrica.net>
I observe the following on my system:
```
$ id -u
2418623341
$ linux-sandbox /bin/true
src/main/tools/linux-sandbox-pid1.cc:126: "fclose(/proc/self/uid_map)": Invalid argument
$ strace -yf linux-sandbox /bin/true |& grep uid_map
[pid 1077131] openat(AT_FDCWD, "/proc/self/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3</proc/1077131/uid_map>
[pid 1077131] fstat(3</proc/1077131/uid_map>, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
[pid 1077131] write(3</proc/1077131/uid_map>, "-1876343955 -1876343955 1\n", 26) = -1 EINVAL (Invalid argument)
[pid 1077131] close(3</proc/1077131/uid_map>) = 0
[pid 1077131] write(2<pipe:[151542577]>, "src/main/tools/linux-sandbox-pid"..., 69src/main/tools/linux-sandbox-pid1.cc:126: "fclose(/proc/self/uid_map)) = 69
```
After the fix, I get:
```
$ ~/bazel/bazel-bin/src/main/tools/linux-sandbox /bin/true && echo ok
ok
$ strace -yf ~/bazel/bazel-bin/src/main/tools/linux-sandbox -- /bin/true |& grep uid_map
[pid 1086662] openat(AT_FDCWD, "/proc/self/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3</proc/1086662/uid_map>
[pid 1086662] fstat(3</proc/1086662/uid_map>, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
[pid 1086662] write(3</proc/1086662/uid_map>, "2418623341 2418623341 1\n", 24) = 24
[pid 1086662] close(3</proc/1086662/uid_map>) = 0
```
Closes #15351.
PiperOrigin-RevId: 448910417
{Fast, Correct} - Choose two
Build and test software of any size, quickly and reliably.
Speed up your builds and tests: Bazel rebuilds only what is necessary. With advanced local and distributed caching, optimized dependency analysis and parallel execution, you get fast and incremental builds.
One tool, multiple languages: Build and test Java, C++, Android, iOS, Go, and a wide variety of other language platforms. Bazel runs on Windows, macOS, and Linux.
Scalable: Bazel helps you scale your organization, codebase, and continuous integration solution. It handles codebases of any size, in multiple repositories or a huge monorepo.
Extensible to your needs: Easily add support for new languages and platforms with Bazel's familiar extension language. Share and re-use language rules written by the growing Bazel community.
Follow our tutorials:
To report a security issue, please email security@bazel.build with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue. Our vulnerability management team will respond within 3 working days of your email. If the issue is confirmed as a vulnerability, we will open a Security Advisory. This project follows a 90 day disclosure timeline.
See CONTRIBUTING.md
