Hi! I have a Linux-specific question about capabilities, threads, and syscalls.
I have a Go program which runs other programs with specific capabilities set. It basically does the following: cmd := exec.Command(...) runtime.LockOSThread() unix.RawSyscall(unix.CAPSET, ...) cmd.Start() Empirically, it seems to work well, having run in production for several years. I wrote it this way because, from my reading of capabilities documentation, capset only affects the current thread, so it's important that we use the same OS thread for running the capset syscall as the fork. I also used RawSyscall (rather than Syscall) for this reason. I noticed that more recently the x/sys/unix package added Capget and Capset which use Syscall rather than RawSyscall. Thinking about it more now, ISTM that using Syscall is fine, and that LockOSThread is all I need to ensure that the thread with the raised capabilities is the one that runs the fork. Is that correct? Relatedly, how does one definitively know whether a syscall is nonblocking? AFAICT setcap and getcap shouldn't block. Why does unix use Syscall for Capset/Capget but RawSyscall for calls like Getpgid? Thanks! Caleb -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAGeFq%2BkHmjiNK42gsAETUV9GZ2zp2UkPeBX9UCPj3HsvLoS9fw%40mail.gmail.com.
