// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

//go:build linux

package syscall

import (
	errpkg 
	
	
	
)

// Linux unshare/clone/clone2/clone3 flags, architecture-independent,
// copied from linux/sched.h.
const (
	CLONE_VM             = 0x00000100 // set if VM shared between processes
	CLONE_FS             = 0x00000200 // set if fs info shared between processes
	CLONE_FILES          = 0x00000400 // set if open files shared between processes
	CLONE_SIGHAND        = 0x00000800 // set if signal handlers and blocked signals shared
	CLONE_PIDFD          = 0x00001000 // set if a pidfd should be placed in parent
	CLONE_PTRACE         = 0x00002000 // set if we want to let tracing continue on the child too
	CLONE_VFORK          = 0x00004000 // set if the parent wants the child to wake it up on mm_release
	CLONE_PARENT         = 0x00008000 // set if we want to have the same parent as the cloner
	CLONE_THREAD         = 0x00010000 // Same thread group?
	CLONE_NEWNS          = 0x00020000 // New mount namespace group
	CLONE_SYSVSEM        = 0x00040000 // share system V SEM_UNDO semantics
	CLONE_SETTLS         = 0x00080000 // create a new TLS for the child
	CLONE_PARENT_SETTID  = 0x00100000 // set the TID in the parent
	CLONE_CHILD_CLEARTID = 0x00200000 // clear the TID in the child
	CLONE_DETACHED       = 0x00400000 // Unused, ignored
	CLONE_UNTRACED       = 0x00800000 // set if the tracing process can't force CLONE_PTRACE on this clone
	CLONE_CHILD_SETTID   = 0x01000000 // set the TID in the child
	CLONE_NEWCGROUP      = 0x02000000 // New cgroup namespace
	CLONE_NEWUTS         = 0x04000000 // New utsname namespace
	CLONE_NEWIPC         = 0x08000000 // New ipc namespace
	CLONE_NEWUSER        = 0x10000000 // New user namespace
	CLONE_NEWPID         = 0x20000000 // New pid namespace
	CLONE_NEWNET         = 0x40000000 // New network namespace
	CLONE_IO             = 0x80000000 // Clone io context

	// Flags for the clone3() syscall.

	CLONE_CLEAR_SIGHAND = 0x100000000 // Clear any signal handler and reset to SIG_DFL.
	CLONE_INTO_CGROUP   = 0x200000000 // Clone into a specific cgroup given the right permissions.

	// Cloning flags intersect with CSIGNAL so can be used with unshare and clone3
	// syscalls only:

	CLONE_NEWTIME = 0x00000080 // New time namespace
)

// SysProcIDMap holds Container ID to Host ID mappings used for User Namespaces in Linux.
// See user_namespaces(7).
//
// Note that User Namespaces are not available on a number of popular Linux
// versions (due to security issues), or are available but subject to AppArmor
// restrictions like in Ubuntu 24.04.
type SysProcIDMap struct {
	ContainerID int // Container ID.
	HostID      int // Host ID.
	Size        int // Size.
}

type SysProcAttr struct {
	Chroot     string      // Chroot.
	Credential *Credential // Credential.
	// Ptrace tells the child to call ptrace(PTRACE_TRACEME).
	// Call runtime.LockOSThread before starting a process with this set,
	// and don't call UnlockOSThread until done with PtraceSyscall calls.
	Ptrace bool
	Setsid bool // Create session.
	// Setpgid sets the process group ID of the child to Pgid,
	// or, if Pgid == 0, to the new child's process ID.
	Setpgid bool
	// Setctty sets the controlling terminal of the child to
	// file descriptor Ctty. Ctty must be a descriptor number
	// in the child process: an index into ProcAttr.Files.
	// This is only meaningful if Setsid is true.
	Setctty bool
	Noctty  bool // Detach fd 0 from controlling terminal.
	Ctty    int  // Controlling TTY fd.
	// Foreground places the child process group in the foreground.
	// This implies Setpgid. The Ctty field must be set to
	// the descriptor of the controlling TTY.
	// Unlike Setctty, in this case Ctty must be a descriptor
	// number in the parent process.
	Foreground bool
	Pgid       int // Child's process group ID if Setpgid.
	// Pdeathsig, if non-zero, is a signal that the kernel will send to
	// the child process when the creating thread dies. Note that the signal
	// is sent on thread termination, which may happen before process termination.
	// There are more details at https://go.dev/issue/27505.
	Pdeathsig    Signal
	Cloneflags   uintptr        // Flags for clone calls.
	Unshareflags uintptr        // Flags for unshare calls.
	UidMappings  []SysProcIDMap // User ID mappings for user namespaces.
	GidMappings  []SysProcIDMap // Group ID mappings for user namespaces.
	// GidMappingsEnableSetgroups enabling setgroups syscall.
	// If false, then setgroups syscall will be disabled for the child process.
	// This parameter is no-op if GidMappings == nil. Otherwise for unprivileged
	// users this should be set to false for mappings work.
	GidMappingsEnableSetgroups bool
	AmbientCaps                []uintptr // Ambient capabilities.
	UseCgroupFD                bool      // Whether to make use of the CgroupFD field.
	CgroupFD                   int       // File descriptor of a cgroup to put the new process into.
	// PidFD, if not nil, is used to store the pidfd of a child, if the
	// functionality is supported by the kernel, or -1. Note *PidFD is
	// changed only if the process starts successfully.
	PidFD *int
}

var (
	none  = [...]byte{'n', 'o', 'n', 'e', 0}
	slash = [...]byte{'/', 0}

	forceClone3 = false // Used by unit tests only.
)

// Implemented in runtime package.
func ()
func ()
func ()

// Fork, dup fd onto 0..len(fd), and exec(argv0, argvv, envv) in child.
// If a dup or exec fails, write the errno error to pipe.
// (Pipe is close-on-exec so if exec succeeds, it will be closed.)
// In the child, this function must not acquire any locks, because
// they might have been locked at the time of the fork. This means
// no rescheduling, no malloc calls, and no new stack segments.
// For the same reason compiler does not race instrument it.
// The calls to RawSyscall are okay because they are assembly
// functions that do not grow the stack.
//
//go:norace
func ( *byte, ,  []*byte, ,  *byte,  *ProcAttr,  *SysProcAttr,  int) ( int,  Errno) {
	// Set up and fork. This returns immediately in the parent or
	// if there's an error.
	, , , ,  := forkAndExecInChild1(, , , , , , , )
	if  {
		runtime_AfterFork()
	}
	if  != 0 {
		return 0, 
	}

	// parent; return PID
	 = int()
	if .PidFD != nil {
		*.PidFD = int()
	}

	if .UidMappings != nil || .GidMappings != nil {
		Close([0])
		var  Errno
		// uid/gid mappings will be written after fork and unshare(2) for user
		// namespaces.
		if .Unshareflags&CLONE_NEWUSER == 0 {
			if  := writeUidGidMappings(, );  != nil {
				 = .(Errno)
			}
		}
		RawSyscall(SYS_WRITE, uintptr([1]), uintptr(unsafe.Pointer(&)), unsafe.Sizeof())
		Close([1])
	}

	return , 0
}

const _LINUX_CAPABILITY_VERSION_3 = 0x20080522

type capHeader struct {
	version uint32
	pid     int32
}

type capData struct {
	effective   uint32
	permitted   uint32
	inheritable uint32
}
type caps struct {
	hdr  capHeader
	data [2]capData
}

// See CAP_TO_INDEX in linux/capability.h:
func ( uintptr) uintptr { return  >> 5 }

// See CAP_TO_MASK in linux/capability.h:
func ( uintptr) uint32 { return 1 << uint(&31) }

// cloneArgs holds arguments for clone3 Linux syscall.
type cloneArgs struct {
	flags      uint64 // Flags bit mask
	pidFD      uint64 // Where to store PID file descriptor (int *)
	childTID   uint64 // Where to store child TID, in child's memory (pid_t *)
	parentTID  uint64 // Where to store child TID, in parent's memory (pid_t *)
	exitSignal uint64 // Signal to deliver to parent on child termination
	stack      uint64 // Pointer to lowest byte of stack
	stackSize  uint64 // Size of stack
	tls        uint64 // Location of new TLS
	setTID     uint64 // Pointer to a pid_t array (since Linux 5.5)
	setTIDSize uint64 // Number of elements in set_tid (since Linux 5.5)
	cgroup     uint64 // File descriptor for target cgroup of child (since Linux 5.7)
}

// forkAndExecInChild1 implements the body of forkAndExecInChild up to
// the parent's post-fork path. This is a separate function so we can
// separate the child's and parent's stack frames if we're using
// vfork.
//
// This is go:noinline because the point is to keep the stack frames
// of this and forkAndExecInChild separate.
//
//go:noinline
//go:norace
//go:nocheckptr
func ( *byte, ,  []*byte, ,  *byte,  *ProcAttr,  *SysProcAttr,  int) ( uintptr,  int32,  Errno,  [2]int,  bool) {
	// Defined in linux/prctl.h starting with Linux 4.3.
	const (
		       = 0x2f
		 = 0x2
	)

	// vfork requires that the child not touch any of the parent's
	// active stack frames. Hence, the child does all post-fork
	// processing in this stack frame and never returns, while the
	// parent returns immediately from this frame and does all
	// post-fork processing in the outer frame.
	//
	// Declare all variables at top in case any
	// declarations require heap allocation (e.g., err2).
	// ":=" should not be used to declare any variable after
	// the call to runtime_BeforeFork.
	//
	// NOTE(bcmills): The allocation behavior described in the above comment
	// seems to lack a corresponding test, and it may be rendered invalid
	// by an otherwise-correct change in the compiler.
	var (
		                      Errno
		                    int
		                         int
		                      caps
		,                 uintptr
		, ,     []byte
		, ,  []byte
		                    *cloneArgs
		                      int32
		                     int
		                      *Credential
		,            uintptr
		                         uintptr
	)
	 = -1

	 := origRlimitNofile.Load()

	if .UidMappings != nil {
		 = []byte("/proc/self/uid_map\000")
		 = formatIDMappings(.UidMappings)
	}

	if .GidMappings != nil {
		 = []byte("/proc/self/setgroups\000")
		 = []byte("/proc/self/gid_map\000")

		if .GidMappingsEnableSetgroups {
			 = []byte("allow\000")
		} else {
			 = []byte("deny\000")
		}
		 = formatIDMappings(.GidMappings)
	}

	// Record parent PID so child can test if it has died.
	,  := rawSyscallNoError(SYS_GETPID, 0, 0, 0)

	// Guard against side effects of shuffling fds below.
	// Make sure that nextfd is beyond any currently open files so
	// that we can't run the risk of overwriting any of them.
	 := make([]int, len(.Files))
	 = len(.Files)
	for ,  := range .Files {
		if  < int() {
			 = int()
		}
		[] = int()
	}
	++

	// Allocate another pipe for parent to child communication for
	// synchronizing writing of User ID/Group ID mappings.
	if .UidMappings != nil || .GidMappings != nil {
		if  := forkExecPipe([:]);  != nil {
			 = .(Errno)
			return
		}
	}

	 = .Cloneflags
	if .Cloneflags&CLONE_NEWUSER == 0 && .Unshareflags&CLONE_NEWUSER == 0 {
		 |= CLONE_VFORK | CLONE_VM
	}
	if .PidFD != nil {
		 |= CLONE_PIDFD
	}
	// Whether to use clone3.
	if .UseCgroupFD || &CLONE_NEWTIME != 0 || forceClone3 {
		 = &cloneArgs{
			flags:      uint64(),
			exitSignal: uint64(SIGCHLD),
		}
		if .UseCgroupFD {
			.flags |= CLONE_INTO_CGROUP
			.cgroup = uint64(.CgroupFD)
		}
		if .PidFD != nil {
			.pidFD = uint64(uintptr(unsafe.Pointer(&)))
		}
	}

	// About to call fork.
	// No more allocation or calls of non-assembly functions.
	runtime_BeforeFork()
	 = true
	if  != nil {
		,  = rawVforkSyscall(_SYS_clone3, uintptr(unsafe.Pointer()), unsafe.Sizeof(*), 0)
	} else {
		// N.B. Keep in sync with doCheckClonePidfd.
		 |= uintptr(SIGCHLD)
		if runtime.GOARCH == "s390x" {
			// On Linux/s390, the first two arguments of clone(2) are swapped.
			,  = rawVforkSyscall(SYS_CLONE, 0, , uintptr(unsafe.Pointer(&)))
		} else {
			,  = rawVforkSyscall(SYS_CLONE, , 0, uintptr(unsafe.Pointer(&)))
		}
	}
	if  != 0 ||  != 0 {
		// If we're in the parent, we must return immediately
		// so we're not in the same stack frame as the child.
		// This can at most use the return PC, which the child
		// will not modify, and the results of
		// rawVforkSyscall, which must have been written after
		// the child was replaced.
		return
	}

	// Fork succeeded, now in child.

	// Enable the "keep capabilities" flag to set ambient capabilities later.
	if len(.AmbientCaps) > 0 {
		_, _,  = RawSyscall6(SYS_PRCTL, PR_SET_KEEPCAPS, 1, 0, 0, 0, 0)
		if  != 0 {
			goto 
		}
	}

	// Wait for User ID/Group ID mappings to be written.
	if .UidMappings != nil || .GidMappings != nil {
		if _, _,  = RawSyscall(SYS_CLOSE, uintptr([1]), 0, 0);  != 0 {
			goto 
		}
		, _,  = RawSyscall(SYS_READ, uintptr([0]), uintptr(unsafe.Pointer(&)), unsafe.Sizeof())
		if  != 0 {
			goto 
		}
		if  != unsafe.Sizeof() {
			 = EINVAL
			goto 
		}
		if  != 0 {
			 = 
			goto 
		}
	}

	// Session ID
	if .Setsid {
		_, _,  = RawSyscall(SYS_SETSID, 0, 0, 0)
		if  != 0 {
			goto 
		}
	}

	// Set process group
	if .Setpgid || .Foreground {
		// Place child in process group.
		_, _,  = RawSyscall(SYS_SETPGID, 0, uintptr(.Pgid), 0)
		if  != 0 {
			goto 
		}
	}

	if .Foreground {
		 = int32(.Pgid)
		if  == 0 {
			, _ = rawSyscallNoError(SYS_GETPID, 0, 0, 0)

			 = int32()
		}

		// Place process group in foreground.
		_, _,  = RawSyscall(SYS_IOCTL, uintptr(.Ctty), uintptr(TIOCSPGRP), uintptr(unsafe.Pointer(&)))
		if  != 0 {
			goto 
		}
	}

	// Restore the signal mask. We do this after TIOCSPGRP to avoid
	// having the kernel send a SIGTTOU signal to the process group.
	runtime_AfterForkInChild()

	// Unshare
	if .Unshareflags != 0 {
		_, _,  = RawSyscall(SYS_UNSHARE, .Unshareflags, 0, 0)
		if  != 0 {
			goto 
		}

		if .Unshareflags&CLONE_NEWUSER != 0 && .GidMappings != nil {
			 = int(_AT_FDCWD)
			if , _,  = RawSyscall6(SYS_OPENAT, uintptr(), uintptr(unsafe.Pointer(&[0])), uintptr(O_WRONLY), 0, 0, 0);  != 0 {
				goto 
			}
			, _,  = RawSyscall(SYS_WRITE, , uintptr(unsafe.Pointer(&[0])), uintptr(len()))
			if  != 0 {
				goto 
			}
			if _, _,  = RawSyscall(SYS_CLOSE, , 0, 0);  != 0 {
				goto 
			}

			if , _,  = RawSyscall6(SYS_OPENAT, uintptr(), uintptr(unsafe.Pointer(&[0])), uintptr(O_WRONLY), 0, 0, 0);  != 0 {
				goto 
			}
			, _,  = RawSyscall(SYS_WRITE, , uintptr(unsafe.Pointer(&[0])), uintptr(len()))
			if  != 0 {
				goto 
			}
			if _, _,  = RawSyscall(SYS_CLOSE, , 0, 0);  != 0 {
				goto 
			}
		}

		if .Unshareflags&CLONE_NEWUSER != 0 && .UidMappings != nil {
			 = int(_AT_FDCWD)
			if , _,  = RawSyscall6(SYS_OPENAT, uintptr(), uintptr(unsafe.Pointer(&[0])), uintptr(O_WRONLY), 0, 0, 0);  != 0 {
				goto 
			}
			, _,  = RawSyscall(SYS_WRITE, , uintptr(unsafe.Pointer(&[0])), uintptr(len()))
			if  != 0 {
				goto 
			}
			if _, _,  = RawSyscall(SYS_CLOSE, , 0, 0);  != 0 {
				goto 
			}
		}

		// The unshare system call in Linux doesn't unshare mount points
		// mounted with --shared. Systemd mounts / with --shared. For a
		// long discussion of the pros and cons of this see debian bug 739593.
		// The Go model of unsharing is more like Plan 9, where you ask
		// to unshare and the namespaces are unconditionally unshared.
		// To make this model work we must further mark / as MS_PRIVATE.
		// This is what the standard unshare command does.
		if .Unshareflags&CLONE_NEWNS == CLONE_NEWNS {
			_, _,  = RawSyscall6(SYS_MOUNT, uintptr(unsafe.Pointer(&none[0])), uintptr(unsafe.Pointer(&slash[0])), 0, MS_REC|MS_PRIVATE, 0, 0)
			if  != 0 {
				goto 
			}
		}
	}

	// Chroot
	if  != nil {
		_, _,  = RawSyscall(SYS_CHROOT, uintptr(unsafe.Pointer()), 0, 0)
		if  != 0 {
			goto 
		}
	}

	// User and groups
	if  = .Credential;  != nil {
		 = uintptr(len(.Groups))
		 = uintptr(0)
		if  > 0 {
			 = uintptr(unsafe.Pointer(&.Groups[0]))
		}
		if !(.GidMappings != nil && !.GidMappingsEnableSetgroups &&  == 0) && !.NoSetGroups {
			_, _,  = RawSyscall(_SYS_setgroups, , , 0)
			if  != 0 {
				goto 
			}
		}
		_, _,  = RawSyscall(sys_SETGID, uintptr(.Gid), 0, 0)
		if  != 0 {
			goto 
		}
		_, _,  = RawSyscall(sys_SETUID, uintptr(.Uid), 0, 0)
		if  != 0 {
			goto 
		}
	}

	if len(.AmbientCaps) != 0 {
		// Ambient capabilities were added in the 4.3 kernel,
		// so it is safe to always use _LINUX_CAPABILITY_VERSION_3.
		.hdr.version = _LINUX_CAPABILITY_VERSION_3

		if _, _,  = RawSyscall(SYS_CAPGET, uintptr(unsafe.Pointer(&.hdr)), uintptr(unsafe.Pointer(&.data[0])), 0);  != 0 {
			goto 
		}

		for _,  = range .AmbientCaps {
			// Add the c capability to the permitted and inheritable capability mask,
			// otherwise we will not be able to add it to the ambient capability mask.
			.data[capToIndex()].permitted |= capToMask()
			.data[capToIndex()].inheritable |= capToMask()
		}

		if _, _,  = RawSyscall(SYS_CAPSET, uintptr(unsafe.Pointer(&.hdr)), uintptr(unsafe.Pointer(&.data[0])), 0);  != 0 {
			goto 
		}

		for _,  = range .AmbientCaps {
			_, _,  = RawSyscall6(SYS_PRCTL, , uintptr(), , 0, 0, 0)
			if  != 0 {
				goto 
			}
		}
	}

	// Chdir
	if  != nil {
		_, _,  = RawSyscall(SYS_CHDIR, uintptr(unsafe.Pointer()), 0, 0)
		if  != 0 {
			goto 
		}
	}

	// Parent death signal
	if .Pdeathsig != 0 {
		_, _,  = RawSyscall6(SYS_PRCTL, PR_SET_PDEATHSIG, uintptr(.Pdeathsig), 0, 0, 0, 0)
		if  != 0 {
			goto 
		}

		// Signal self if parent is already dead. This might cause a
		// duplicate signal in rare cases, but it won't matter when
		// using SIGKILL.
		, _ = rawSyscallNoError(SYS_GETPPID, 0, 0, 0)
		if  !=  {
			, _ = rawSyscallNoError(SYS_GETPID, 0, 0, 0)
			_, _,  = RawSyscall(SYS_KILL, , uintptr(.Pdeathsig), 0)
			if  != 0 {
				goto 
			}
		}
	}

	// Pass 1: look for fd[i] < i and move those up above len(fd)
	// so that pass 2 won't stomp on an fd it needs later.
	if  <  {
		_, _,  = RawSyscall(SYS_DUP3, uintptr(), uintptr(), O_CLOEXEC)
		if  != 0 {
			goto 
		}
		 = 
		++
	}
	for  = 0;  < len(); ++ {
		if [] >= 0 && [] <  {
			if  ==  { // don't stomp on pipe
				++
			}
			_, _,  = RawSyscall(SYS_DUP3, uintptr([]), uintptr(), O_CLOEXEC)
			if  != 0 {
				goto 
			}
			[] = 
			++
		}
	}

	// Pass 2: dup fd[i] down onto i.
	for  = 0;  < len(); ++ {
		if [] == -1 {
			RawSyscall(SYS_CLOSE, uintptr(), 0, 0)
			continue
		}
		if [] ==  {
			// dup2(i, i) won't clear close-on-exec flag on Linux,
			// probably not elsewhere either.
			_, _,  = RawSyscall(fcntl64Syscall, uintptr([]), F_SETFD, 0)
			if  != 0 {
				goto 
			}
			continue
		}
		// The new fd is created NOT close-on-exec,
		// which is exactly what we want.
		_, _,  = RawSyscall(SYS_DUP3, uintptr([]), uintptr(), 0)
		if  != 0 {
			goto 
		}
	}

	// By convention, we don't close-on-exec the fds we are
	// started with, so if len(fd) < 3, close 0, 1, 2 as needed.
	// Programs that know they inherit fds >= 3 will need
	// to set them close-on-exec.
	for  = len();  < 3; ++ {
		RawSyscall(SYS_CLOSE, uintptr(), 0, 0)
	}

	// Detach fd 0 from tty
	if .Noctty {
		_, _,  = RawSyscall(SYS_IOCTL, 0, uintptr(TIOCNOTTY), 0)
		if  != 0 {
			goto 
		}
	}

	// Set the controlling TTY to Ctty
	if .Setctty {
		_, _,  = RawSyscall(SYS_IOCTL, uintptr(.Ctty), uintptr(TIOCSCTTY), 1)
		if  != 0 {
			goto 
		}
	}

	// Restore original rlimit.
	if  != nil {
		rawSetrlimit(RLIMIT_NOFILE, )
	}

	// Enable tracing if requested.
	// Do this right before exec so that we don't unnecessarily trace the runtime
	// setting up after the fork. See issue #21428.
	if .Ptrace {
		_, _,  = RawSyscall(SYS_PTRACE, uintptr(PTRACE_TRACEME), 0, 0)
		if  != 0 {
			goto 
		}
	}

	// Time to exec.
	_, _,  = RawSyscall(SYS_EXECVE,
		uintptr(unsafe.Pointer()),
		uintptr(unsafe.Pointer(&[0])),
		uintptr(unsafe.Pointer(&[0])))

:
	// send error code on pipe
	RawSyscall(SYS_WRITE, uintptr(), uintptr(unsafe.Pointer(&)), unsafe.Sizeof())
	for {
		RawSyscall(SYS_EXIT, 253, 0, 0)
	}
}

func ( []SysProcIDMap) []byte {
	var  []byte
	for ,  := range  {
		 = append(, itoa.Itoa(.ContainerID)+" "+itoa.Itoa(.HostID)+" "+itoa.Itoa(.Size)+"\n"...)
	}
	return 
}

// writeIDMappings writes the user namespace User ID or Group ID mappings to the specified path.
func ( string,  []SysProcIDMap) error {
	,  := Open(, O_RDWR, 0)
	if  != nil {
		return 
	}

	if ,  := Write(, formatIDMappings());  != nil {
		Close()
		return 
	}

	if  := Close();  != nil {
		return 
	}

	return nil
}

// writeSetgroups writes to /proc/PID/setgroups "deny" if enable is false
// and "allow" if enable is true.
// This is needed since kernel 3.19, because you can't write gid_map without
// disabling setgroups() system call.
func ( int,  bool) error {
	 := "/proc/" + itoa.Itoa() + "/setgroups"
	,  := Open(, O_RDWR, 0)
	if  != nil {
		return 
	}

	var  []byte
	if  {
		 = []byte("allow")
	} else {
		 = []byte("deny")
	}

	if ,  := Write(, );  != nil {
		Close()
		return 
	}

	return Close()
}

// writeUidGidMappings writes User ID and Group ID mappings for user namespaces
// for a process and it is called from the parent process.
func ( int,  *SysProcAttr) error {
	if .UidMappings != nil {
		 := "/proc/" + itoa.Itoa() + "/uid_map"
		if  := writeIDMappings(, .UidMappings);  != nil {
			return 
		}
	}

	if .GidMappings != nil {
		// If the kernel is too old to support /proc/PID/setgroups, writeSetGroups will return ENOENT; this is OK.
		if  := writeSetgroups(, .GidMappingsEnableSetgroups);  != nil &&  != ENOENT {
			return 
		}
		 := "/proc/" + itoa.Itoa() + "/gid_map"
		if  := writeIDMappings(, .GidMappings);  != nil {
			return 
		}
	}

	return nil
}

// forkAndExecFailureCleanup cleans up after an exec failure.
func ( *ProcAttr,  *SysProcAttr) {
	if .PidFD != nil && *.PidFD != -1 {
		Close(*.PidFD)
		*.PidFD = -1
	}
}

// checkClonePidfd verifies that clone(CLONE_PIDFD) works by actually doing a
// clone.
//
//go:linkname os_checkClonePidfd os.checkClonePidfd
func () error {
	 := int32(-1)
	,  := doCheckClonePidfd(&)
	if  != 0 {
		return 
	}

	if  == -1 {
		// Bad: CLONE_PIDFD failed to provide a pidfd. Reap the process
		// before returning.

		var  error
		for {
			var  WaitStatus
			// WCLONE is an untyped constant that sets bit 31, so
			// it cannot convert directly to int on 32-bit
			// GOARCHes. We must convert through another type
			// first.
			 := uint(WCLONE)
			_,  = Wait4(int(), &, int(), nil)
			if  != EINTR {
				break
			}
		}
		if  != nil {
			return 
		}

		return errpkg.New("clone(CLONE_PIDFD) failed to return pidfd")
	}

	// Good: CLONE_PIDFD provided a pidfd. Reap the process and close the
	// pidfd.
	defer Close(int())

	for {
		const  = 3
		_, _,  = Syscall6(SYS_WAITID, , uintptr(), 0, WEXITED | WCLONE, 0, 0)
		if  != EINTR {
			break
		}
	}
	if  != 0 {
		return 
	}

	return nil
}

// doCheckClonePidfd implements the actual clone call of os_checkClonePidfd and
// child execution. This is a separate function so we can separate the child's
// and parent's stack frames if we're using vfork.
//
// This is go:noinline because the point is to keep the stack frames of this
// and os_checkClonePidfd separate.
//
//go:noinline
func ( *int32) ( uintptr,  Errno) {
	 := uintptr(CLONE_VFORK | CLONE_VM | CLONE_PIDFD)
	if runtime.GOARCH == "s390x" {
		// On Linux/s390, the first two arguments of clone(2) are swapped.
		,  = rawVforkSyscall(SYS_CLONE, 0, , uintptr(unsafe.Pointer()))
	} else {
		,  = rawVforkSyscall(SYS_CLONE, , 0, uintptr(unsafe.Pointer()))
	}
	if  != 0 ||  != 0 {
		// If we're in the parent, we must return immediately
		// so we're not in the same stack frame as the child.
		// This can at most use the return PC, which the child
		// will not modify, and the results of
		// rawVforkSyscall, which must have been written after
		// the child was replaced.
		return
	}

	for {
		RawSyscall(SYS_EXIT_GROUP, 0, 0, 0)
	}
}