netns_linux.go

//go:build linux
// +build linux

package socket

import (
	"errors"
	"fmt"
	"os"
	"runtime"

	"golang.org/x/sync/errgroup"
	"golang.org/x/sys/unix"
)

// errNetNSDisabled is returned when network namespaces are unavailable on
// a given system.
var errNetNSDisabled = errors.New("socket: Linux network namespaces are not enabled on this system")

// withNetNS invokes fn within the context of the network namespace specified by
// fd, while also managing the logic required to safely do so by manipulating
// thread-local state.
func withNetNS(fd int, fn func() (*Conn, error)) (*Conn, error) {
	var (
		eg   errgroup.Group
		conn *Conn
	)

	eg.Go(func() error {
		// Retrieve and store the calling OS thread's network namespace so the
		// thread can be reassigned to it after creating a socket in another network
		// namespace.
		runtime.LockOSThread()

		ns, err := threadNetNS()
		if err != nil {
			// No thread-local manipulation, unlock.
			runtime.UnlockOSThread()
			return err
		}
		defer ns.Close()

		// Beyond this point, the thread's network namespace is poisoned. Do not
		// unlock the OS thread until all network namespace manipulation completes
		// to avoid returning to the caller with altered thread-local state.

		// Assign the current OS thread the goroutine is locked to to the given
		// network namespace.
		if err := ns.Set(fd); err != nil {
			return err
		}

		// Attempt Conn creation and unconditionally restore the original namespace.
		c, err := fn()
		if nerr := ns.Restore(); nerr != nil {
			// Failed to restore original namespace. Return an error and allow the
			// runtime to terminate the thread.
			if err == nil {
				_ = c.Close()
			}

			return nerr
		}

		// No more thread-local state manipulation; return the new Conn.
		runtime.UnlockOSThread()
		conn = c
		return nil
	})

	if err := eg.Wait(); err != nil {
		return nil, err
	}

	return conn, nil
}

// A netNS is a handle that can manipulate network namespaces.
//
// Operations performed on a netNS must use runtime.LockOSThread before
// manipulating any network namespaces.
type netNS struct {
	// The handle to a network namespace.
	f *os.File

	// Indicates if network namespaces are disabled on this system, and thus
	// operations should become a no-op or return errors.
	disabled bool
}

// threadNetNS constructs a netNS using the network namespace of the calling
// thread. If the namespace is not the default namespace, runtime.LockOSThread
// should be invoked first.
func threadNetNS() (*netNS, error) {
	return fileNetNS(fmt.Sprintf("/proc/self/task/%d/ns/net", unix.Gettid()))
}

// fileNetNS opens file and creates a netNS. fileNetNS should only be called
// directly in tests.
func fileNetNS(file string) (*netNS, error) {
	f, err := os.Open(file)
	switch {
	case err == nil:
		return &netNS{f: f}, nil
	case os.IsNotExist(err):
		// Network namespaces are not enabled on this system. Use this signal
		// to return errors elsewhere if the caller explicitly asks for a
		// network namespace to be set.
		return &netNS{disabled: true}, nil
	default:
		return nil, err
	}
}

// Close releases the handle to a network namespace.
func (n *netNS) Close() error {
	return n.do(func() error { return n.f.Close() })
}

// FD returns a file descriptor which represents the network namespace.
func (n *netNS) FD() int {
	if n.disabled {
		// No reasonable file descriptor value in this case, so specify a
		// non-existent one.
		return -1
	}

	return int(n.f.Fd())
}

// Restore restores the original network namespace for the calling thread.
func (n *netNS) Restore() error {
	return n.do(func() error { return n.Set(n.FD()) })
}

// Set sets a new network namespace for the current thread using fd.
func (n *netNS) Set(fd int) error {
	return n.do(func() error {
		return os.NewSyscallError("setns", unix.Setns(fd, unix.CLONE_NEWNET))
	})
}

// do runs fn if network namespaces are enabled on this system.
func (n *netNS) do(fn func() error) error {
	if n.disabled {
		return errNetNSDisabled
	}

	return fn()
}