Migrate from deprecated syscall package to golang.org/x/sys/unix

debfx · Sep 25, 2022 · c30eafd · c30eafd
1 parent 3f3b459
commit c30eafd
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 66 deletions.
diff --git a/http-proxy.go b/http-proxy.go
@@ -18,7 +18,6 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"syscall"
 
 	"github.com/elazarl/goproxy"
 	"github.com/gobwas/glob"
@@ -255,7 +254,7 @@ func forwardConnection(localConn net.Conn, proxyServerPath string) {
 	go func() {
 		_, err = io.Copy(proxyServerConn, localConn)
 		if err != nil {
-			if !errors.Is(err, syscall.EPIPE) {
+			if !errors.Is(err, unix.EPIPE) {
 				fmt.Printf("Forwarding from http proxy unix socket to local tcp port failed: %v\n", err)
 			}
 			proxyServerConn.Close()
@@ -266,7 +265,7 @@ func forwardConnection(localConn net.Conn, proxyServerPath string) {
 	go func() {
 		_, err = io.Copy(localConn, proxyServerConn)
 		if err != nil {
-			if !errors.Is(err, syscall.EPIPE) {
+			if !errors.Is(err, unix.EPIPE) {
 				fmt.Printf("Forwarding from local tcp port to http proxy unix socket failed: %v\n", err)
 			}
 			proxyServerConn.Close()

diff --git a/mountinfo.go b/mountinfo.go
@@ -10,25 +10,26 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
-	"syscall"
+
+	"golang.org/x/sys/unix"
 )
 
 var regexpOctalEscape = regexp.MustCompile(`\\(\d{1,3})`)
 
 var optionFlagMap map[string]int = map[string]int{
-	"ro":          syscall.MS_RDONLY,
-	"noexec":      syscall.MS_NOEXEC,
-	"nosuid":      syscall.MS_NOSUID,
-	"nodev":       syscall.MS_NODEV,
-	"sync":        syscall.MS_SYNCHRONOUS,
-	"dirsync":     syscall.MS_DIRSYNC,
-	"silent":      syscall.MS_SILENT,
-	"mand":        syscall.MS_MANDLOCK,
-	"noatime":     syscall.MS_NOATIME,
-	"iversion":    syscall.MS_I_VERSION,
-	"nodiratime":  syscall.MS_NODIRATIME,
-	"relatime":    syscall.MS_RELATIME,
-	"strictatime": syscall.MS_STRICTATIME,
+	"ro":          unix.MS_RDONLY,
+	"noexec":      unix.MS_NOEXEC,
+	"nosuid":      unix.MS_NOSUID,
+	"nodev":       unix.MS_NODEV,
+	"sync":        unix.MS_SYNCHRONOUS,
+	"dirsync":     unix.MS_DIRSYNC,
+	"silent":      unix.MS_SILENT,
+	"mand":        unix.MS_MANDLOCK,
+	"noatime":     unix.MS_NOATIME,
+	"iversion":    unix.MS_I_VERSION,
+	"nodiratime":  unix.MS_NODIRATIME,
+	"relatime":    unix.MS_RELATIME,
+	"strictatime": unix.MS_STRICTATIME,
 }
 
 type mountInfoEntry struct {

diff --git a/seccomp.go b/seccomp.go
@@ -5,9 +5,9 @@ package main
 
 import (
 	"fmt"
-	"syscall"
 
 	seccomp "github.com/seccomp/libseccomp-golang"
+	"golang.org/x/sys/unix"
 )
 
 type seccompRule struct {
@@ -74,9 +74,9 @@ func loadSeccomp(filterName string, logDenials bool) ([]*seccomp.ScmpFilter, err
 
 	filters := []*seccomp.ScmpFilter{}
 
-	actionEperm := seccomp.ActErrno.SetReturnCode(int16(syscall.EPERM))
-	actionEnosys := seccomp.ActErrno.SetReturnCode(int16(syscall.ENOSYS))
-	actionEafnosupport := seccomp.ActErrno.SetReturnCode(int16(syscall.EAFNOSUPPORT))
+	actionEperm := seccomp.ActErrno.SetReturnCode(int16(unix.EPERM))
+	actionEnosys := seccomp.ActErrno.SetReturnCode(int16(unix.ENOSYS))
+	actionEafnosupport := seccomp.ActErrno.SetReturnCode(int16(unix.EAFNOSUPPORT))
 
 	var defaultActionMain seccomp.ScmpAction
 	rulesMain := []seccompRule{}
@@ -157,7 +157,7 @@ func loadSeccomp(filterName string, logDenials bool) ([]*seccomp.ScmpFilter, err
 		for _, i := range []int{1, 2, 10, 16} {
 			rulesMain = append(rulesMain, seccompRule{
 				Action:   seccomp.ActAllow,
-				Syscall:  syscall.SYS_SOCKET,
+				Syscall:  unix.SYS_SOCKET,
 				Arg:      0,
 				Op:       seccomp.CompareEqual,
 				OpValue1: uint64(i),
@@ -166,14 +166,14 @@ func loadSeccomp(filterName string, logDenials bool) ([]*seccomp.ScmpFilter, err
 
 		rulesMain = append(rulesMain, seccompRule{
 			Action:   actionEafnosupport,
-			Syscall:  syscall.SYS_SOCKET,
+			Syscall:  unix.SYS_SOCKET,
 			Arg:      0,
 			Op:       seccomp.CompareLess,
 			OpValue1: 1,
 		})
 		rulesMain = append(rulesMain, seccompRule{
 			Action:   actionEafnosupport,
-			Syscall:  syscall.SYS_SOCKET,
+			Syscall:  unix.SYS_SOCKET,
 			Arg:      0,
 			Op:       seccomp.CompareGreater,
 			OpValue1: 16,
@@ -182,7 +182,7 @@ func loadSeccomp(filterName string, logDenials bool) ([]*seccomp.ScmpFilter, err
 		for i := 3; i < 10; i++ {
 			rulesMain = append(rulesMain, seccompRule{
 				Action:   actionEafnosupport,
-				Syscall:  syscall.SYS_SOCKET,
+				Syscall:  unix.SYS_SOCKET,
 				Arg:      0,
 				Op:       seccomp.CompareEqual,
 				OpValue1: uint64(i),
@@ -191,7 +191,7 @@ func loadSeccomp(filterName string, logDenials bool) ([]*seccomp.ScmpFilter, err
 		for i := 11; i < 16; i++ {
 			rulesMain = append(rulesMain, seccompRule{
 				Action:   actionEafnosupport,
-				Syscall:  syscall.SYS_SOCKET,
+				Syscall:  unix.SYS_SOCKET,
 				Arg:      0,
 				Op:       seccomp.CompareEqual,
 				OpValue1: uint64(i),
@@ -201,14 +201,14 @@ func loadSeccomp(filterName string, logDenials bool) ([]*seccomp.ScmpFilter, err
 		// only allow personality(PER_LINUX)
 		rulesMain = append(rulesMain, seccompRule{
 			Action:   seccomp.ActAllow,
-			Syscall:  syscall.SYS_PERSONALITY,
+			Syscall:  unix.SYS_PERSONALITY,
 			Arg:      0,
 			Op:       seccomp.CompareEqual,
 			OpValue1: 0,
 		})
 		rulesMain = append(rulesMain, seccompRule{
 			Action:   actionEperm,
-			Syscall:  syscall.SYS_PERSONALITY,
+			Syscall:  unix.SYS_PERSONALITY,
 			Arg:      0,
 			Op:       seccomp.CompareNotEqual,
 			OpValue1: 0,
@@ -225,19 +225,19 @@ func loadSeccomp(filterName string, logDenials bool) ([]*seccomp.ScmpFilter, err
 	rulesMaskedEqual := []seccompRule{
 		{
 			Action:   actionEperm,
-			Syscall:  syscall.SYS_IOCTL,
+			Syscall:  unix.SYS_IOCTL,
 			Arg:      1,
 			Op:       seccomp.CompareMaskedEqual,
 			OpValue1: 0xFFFFFFFF,
-			OpValue2: syscall.TIOCSTI,
+			OpValue2: unix.TIOCSTI,
 		},
 		{
 			Action:   actionEperm,
-			Syscall:  syscall.SYS_CLONE,
+			Syscall:  unix.SYS_CLONE,
 			Arg:      0,
 			Op:       seccomp.CompareMaskedEqual,
-			OpValue1: syscall.CLONE_NEWUSER,
-			OpValue2: syscall.CLONE_NEWUSER,
+			OpValue1: unix.CLONE_NEWUSER,
+			OpValue2: unix.CLONE_NEWUSER,
 		},
 	}
 

diff --git a/userns.go b/userns.go
@@ -50,12 +50,12 @@ func decodePassUsernsChild(input []byte) (passUsernsChildStruct, error) {
 }
 
 func usernsRun(exe string, settings settingsStruct, mounts []mount, environ []string, fork bool) (int, error) {
-	var unshareFlags uintptr = syscall.CLONE_NEWUSER | syscall.CLONE_NEWNS | syscall.CLONE_NEWPID
+	var unshareFlags uintptr = unix.CLONE_NEWUSER | unix.CLONE_NEWNS | unix.CLONE_NEWPID
 	if !settings.Ipc {
-		unshareFlags = unshareFlags | syscall.CLONE_NEWIPC
+		unshareFlags = unshareFlags | unix.CLONE_NEWIPC
 	}
 	if !settings.Network {
-		unshareFlags = unshareFlags | syscall.CLONE_NEWNET
+		unshareFlags = unshareFlags | unix.CLONE_NEWNET
 	}
 
 	allCaps, err := getAllCaps()
@@ -157,7 +157,7 @@ func usernsRun(exe string, settings settingsStruct, mounts []mount, environ []st
 }
 
 func mountPrivatePropagation() error {
-	return syscall.Mount("none", "/", "", syscall.MS_REC|syscall.MS_PRIVATE, "")
+	return unix.Mount("none", "/", "", unix.MS_REC|unix.MS_PRIVATE, "")
 }
 
 func getCapLastCap() (uintptr, error) {
@@ -230,8 +230,8 @@ func restrictUserNamespaces() error {
 }
 
 func mountTmpfs(path string, mode string, readOnly bool) error {
-	flags := syscall.MS_REC | syscall.MS_NOSUID | syscall.MS_NOATIME
-	if err := syscall.Mount("tmpfs", path, "tmpfs", uintptr(flags), "mode="+mode); err != nil {
+	flags := unix.MS_REC | unix.MS_NOSUID | unix.MS_NOATIME
+	if err := unix.Mount("tmpfs", path, "tmpfs", uintptr(flags), "mode="+mode); err != nil {
 		return err
 	}
 
@@ -245,15 +245,15 @@ func mountTmpfs(path string, mode string, readOnly bool) error {
 }
 
 func mountProc(path string) error {
-	return syscall.Mount("proc", path, "proc", syscall.MS_NOSUID|syscall.MS_NODEV|syscall.MS_NOEXEC, "")
+	return unix.Mount("proc", path, "proc", unix.MS_NOSUID|unix.MS_NODEV|unix.MS_NOEXEC, "")
 }
 
 func mountDevPts(path string) error {
-	return syscall.Mount("devpts", path, "devpts", syscall.MS_NOSUID|syscall.MS_NOEXEC, "newinstance,ptmxmode=0666,mode=620")
+	return unix.Mount("devpts", path, "devpts", unix.MS_NOSUID|unix.MS_NOEXEC, "newinstance,ptmxmode=0666,mode=620")
 }
 
 func remountReadOnly(path string, existingFlags int) error {
-	return syscall.Mount(path, path, "", uintptr(existingFlags|syscall.MS_REMOUNT|syscall.MS_REC|syscall.MS_BIND|syscall.MS_RDONLY), "")
+	return unix.Mount(path, path, "", uintptr(existingFlags|unix.MS_REMOUNT|unix.MS_REC|unix.MS_BIND|unix.MS_RDONLY), "")
 }
 
 func mountBind(source string, target string, readOnly bool, debug bool) error {
@@ -277,7 +277,7 @@ func mountBind(source string, target string, readOnly bool, debug bool) error {
 		}
 	}
 
-	if err := syscall.Mount(source, target, "", syscall.MS_REC|syscall.MS_BIND, ""); err != nil {
+	if err := unix.Mount(source, target, "", unix.MS_REC|unix.MS_BIND, ""); err != nil {
 		return err
 	}
 
@@ -317,17 +317,17 @@ func mountBind(source string, target string, readOnly bool, debug bool) error {
 }
 
 func reapChildren(mainPid int, helperPids []int, syncFile *os.File) error {
-	var wstatus syscall.WaitStatus
+	var wstatus unix.WaitStatus
 	mainExited := false
 
 	for {
 		// reap any terminated child
-		diedPid, err := syscall.Wait4(-1, &wstatus, 0, nil)
-		for err == syscall.EINTR {
-			diedPid, err = syscall.Wait4(-1, &wstatus, 0, nil)
+		diedPid, err := unix.Wait4(-1, &wstatus, 0, nil)
+		for err == unix.EINTR {
+			diedPid, err = unix.Wait4(-1, &wstatus, 0, nil)
 		}
 
-		if err == syscall.ECHILD {
+		if err == unix.ECHILD {
 			// no more children to wait upon
 			return nil
 		}
@@ -375,8 +375,8 @@ func reapChildren(mainPid int, helperPids []int, syncFile *os.File) error {
 			if allNonHelperExited {
 				// only helper processes left, terminate them
 				for _, pid := range helperPids {
-					err = syscall.Kill(pid, syscall.SIGKILL)
-					if err != nil && err != syscall.ESRCH {
+					err = unix.Kill(pid, unix.SIGKILL)
+					if err != nil && err != unix.ESRCH {
 						return fmt.Errorf("failed to kill helper process: %w", err)
 					}
 				}
@@ -427,14 +427,14 @@ func usernsChild() error {
 		return fmt.Errorf("failed to make newroot directory: %w", err)
 	}
 	// bind mount on itself so it still exists when tmpDir is unmounted
-	if err := syscall.Mount("newroot", "newroot", "", syscall.MS_REC|syscall.MS_BIND, ""); err != nil {
+	if err := unix.Mount("newroot", "newroot", "", unix.MS_REC|unix.MS_BIND, ""); err != nil {
 		return fmt.Errorf("failed to bind-mount newroot: %w", err)
 	}
 
 	if err := os.Mkdir("oldroot", 0755); err != nil {
 		return fmt.Errorf("failed to make oldroot directory: %w", err)
 	}
-	if err := syscall.PivotRoot(tmpDir, "oldroot"); err != nil {
+	if err := unix.PivotRoot(tmpDir, "oldroot"); err != nil {
 		return fmt.Errorf("pivot_root to temporary dir failed: %w", err)
 	}
 	if err := os.Chdir("/"); err != nil {
@@ -584,36 +584,36 @@ func usernsChild() error {
 	}
 
 	// make sure the mount is private so we don't proprage the umount() to the outside
-	if err := syscall.Mount("oldroot", "oldroot", "", syscall.MS_REC|syscall.MS_PRIVATE, ""); err != nil {
+	if err := unix.Mount("oldroot", "oldroot", "", unix.MS_REC|unix.MS_PRIVATE, ""); err != nil {
 		return fmt.Errorf("failed to make oldroot mount private: %w", err)
 	}
-	if err := syscall.Unmount("oldroot", syscall.MNT_DETACH); err != nil {
+	if err := unix.Unmount("oldroot", unix.MNT_DETACH); err != nil {
 		return fmt.Errorf("failed to unmount oldroot: %w", err)
 	}
 
 	// open our temporary root dir so we can unmount it once newroot is "/"
-	tmpRootFd, err := syscall.Open("/", syscall.O_DIRECTORY, syscall.O_RDONLY)
+	tmpRootFd, err := unix.Open("/", unix.O_DIRECTORY, unix.O_RDONLY)
 	if err != nil {
 		return fmt.Errorf("failed to open temorary root directory: %w", err)
 	}
 	if err := os.Chdir("newroot"); err != nil {
 		return fmt.Errorf("failed to chdir into newroot: %w", err)
 	}
-	if err := syscall.PivotRoot(".", "."); err != nil {
+	if err := unix.PivotRoot(".", "."); err != nil {
 		return fmt.Errorf("pivot_root into newroot failed: %w", err)
 	}
 
-	if err := syscall.Fchdir(tmpRootFd); err != nil {
+	if err := unix.Fchdir(tmpRootFd); err != nil {
 		return fmt.Errorf("failed to chdir into temporary root fd: %w", err)
 	}
-	if err := syscall.Unmount(".", syscall.MNT_DETACH); err != nil {
+	if err := unix.Unmount(".", unix.MNT_DETACH); err != nil {
 		return fmt.Errorf("failed to unmount temporary root tmpfs: %w", err)
 	}
 
 	if err := os.Chdir("/"); err != nil {
 		return fmt.Errorf("chdir / in new root failed: %w", err)
 	}
-	if err := syscall.Close(tmpRootFd); err != nil {
+	if err := unix.Close(tmpRootFd); err != nil {
 		return fmt.Errorf("failed to close temporary root fd: %w", err)
 	}
 
@@ -666,7 +666,7 @@ func usernsChild() error {
 			}
 		}
 	} else {
-		if _, err := syscall.Setsid(); err != nil {
+		if _, err := unix.Setsid(); err != nil {
 			return err
 		}
 	}

diff --git a/utils.go b/utils.go
@@ -9,7 +9,6 @@ import (
 	"os/user"
 	"strconv"
 	"strings"
-	"syscall"
 
 	"golang.org/x/sys/unix"
 )
@@ -142,12 +141,12 @@ func yesNoStrToBool(str string) (bool, error) {
 }
 
 func setCloseOnExec(fd uintptr) error {
-	flags, err := unix.FcntlInt(fd, syscall.F_GETFD, 0)
+	flags, err := unix.FcntlInt(fd, unix.F_GETFD, 0)
 	if err != nil {
 		return err
 	}
 
-	_, err = unix.FcntlInt(fd, syscall.F_SETFD, flags|syscall.FD_CLOEXEC)
+	_, err = unix.FcntlInt(fd, unix.F_SETFD, flags|unix.FD_CLOEXEC)
 	if err != nil {
 		return err
 	}
@@ -156,12 +155,12 @@ func setCloseOnExec(fd uintptr) error {
 }
 
 func clearCloseOnExec(fd uintptr) error {
-	flags, err := unix.FcntlInt(fd, syscall.F_GETFD, 0)
+	flags, err := unix.FcntlInt(fd, unix.F_GETFD, 0)
 	if err != nil {
 		return err
 	}
 
-	_, err = unix.FcntlInt(fd, syscall.F_SETFD, flags & ^syscall.FD_CLOEXEC)
+	_, err = unix.FcntlInt(fd, unix.F_SETFD, flags & ^unix.FD_CLOEXEC)
 	if err != nil {
 		return err
 	}
@@ -170,7 +169,7 @@ func clearCloseOnExec(fd uintptr) error {
 }
 
 func setFdReadOnly(fd uintptr) error {
-	_, err := unix.FcntlInt(fd, syscall.F_SETFL, syscall.O_RDONLY)
+	_, err := unix.FcntlInt(fd, unix.F_SETFL, unix.O_RDONLY)
 	if err != nil {
 		return err
 	}