lzc256
/
tailscale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ssh/tailssh: lock OS thread during incubator 

This makes it less likely that we trip over bugs like golang/go#1435.

Updates #7616

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Ic28c03c3ad8ed5274a795c766b767fa876029f0e
pull/7664/head
Andrew Dunham 2023-03-23 12:49:11 -04:00
parent c350cd1f06
commit 9de8287d47
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ssh/tailssh/incubator.go
View File

@ -204,6 +204,16 @@ func parseIncubatorArgs(args []string) (a incubatorArgs) {
// OS, sets its UID and groups to the specified `--uid`, `--gid` and // OS, sets its UID and groups to the specified `--uid`, `--gid` and
// `--groups` and then launches the requested `--cmd`. // `--groups` and then launches the requested `--cmd`.
func beIncubator(args []string) error { func beIncubator(args []string) error {
// To defend against issues like https://golang.org/issue/1435,
// defensively lock our current goroutine's thread to the current
// system thread before we start making any UID/GID/group changes.
//
// This shouldn't matter on Linux because syscall.AllThreadsSyscall is
// used to invoke syscalls on all OS threads, but (as of 2023-03-23)
// that function is not implemented on all platforms.
runtime.LockOSThread()
defer runtime.UnlockOSThread()
ia := parseIncubatorArgs(args) ia := parseIncubatorArgs(args)
if ia.isSFTP && ia.isShell { if ia.isSFTP && ia.isShell {
return fmt.Errorf("--sftp and --shell are mutually exclusive") return fmt.Errorf("--sftp and --shell are mutually exclusive")