From 9de8287d47c68ae538456f6059ce19f878d6ecea Mon Sep 17 00:00:00 2001 From: Andrew Dunham Date: Thu, 23 Mar 2023 12:49:11 -0400 Subject: [PATCH] ssh/tailssh: lock OS thread during incubator This makes it less likely that we trip over bugs like golang/go#1435. Updates #7616 Signed-off-by: Andrew Dunham Change-Id: Ic28c03c3ad8ed5274a795c766b767fa876029f0e --- ssh/tailssh/incubator.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ssh/tailssh/incubator.go b/ssh/tailssh/incubator.go index d81e54ec2..6b2ea262a 100644 --- a/ssh/tailssh/incubator.go +++ b/ssh/tailssh/incubator.go @@ -204,6 +204,16 @@ func parseIncubatorArgs(args []string) (a incubatorArgs) { // OS, sets its UID and groups to the specified `--uid`, `--gid` and // `--groups` and then launches the requested `--cmd`. func beIncubator(args []string) error { + // To defend against issues like https://golang.org/issue/1435, + // defensively lock our current goroutine's thread to the current + // system thread before we start making any UID/GID/group changes. + // + // This shouldn't matter on Linux because syscall.AllThreadsSyscall is + // used to invoke syscalls on all OS threads, but (as of 2023-03-23) + // that function is not implemented on all platforms. + runtime.LockOSThread() + defer runtime.UnlockOSThread() + ia := parseIncubatorArgs(args) if ia.isSFTP && ia.isShell { return fmt.Errorf("--sftp and --shell are mutually exclusive")