syscall: add Jail int32 to SysProcAttr on FreeBSD

[gizahNL]

Adding an int32 jail param to SysProcAttr on FreeBSD and calling the JAIL_ATTACH syscall inside the forked child would allow cleanly running a command inside a FreeBSD jail.

[rsc]

This proposal has been added to the active column of the proposals project and will now be reviewed at the weekly proposal review meetings. — rsc for the proposal review group

[rsc]

Does anyone object to this?

[gizahNL]

An implementation detail I did not think about before: jail attach chroots into the jail, and changes the working directory of the program to the root of the jail. If it's feasible to change the working directory in the forked child it must be done after calling the attach syscall, if it's unfeasible I guess an error could be returned when both Cmd.Dir and SysProcAttr.Jail is set as to indicate that such a combination of options is unsupported.

[ianlancetaylor]

@gizahNL That doesn't seem like a problem. The relevant code is in syscall/exec_bsd.go.

[rsc]

/cc @samuelkarp to see if this would have helped https://github.com/samuelkarp/runj.

[rsc]

Based on the discussion above, this proposal seems like a likely accept. — rsc for the proposal review group

[samuelkarp]

/cc @samuelkarp to see if this would have helped samuelkarp/runj.

Yes, this will likely help runj in some scenarios, while runj will likely invoke JAIL_ATTACH directly in others.

[rsc]

No change in consensus, so accepted. 🎉 This issue now tracks the work of implementing the proposal. — rsc for the proposal review group

[gopherbot]

Change https://golang.org/cl/355569 mentions this issue: syscall: separate ProcSysAttr and forkAndExecInChild for FreeBSD

[gopherbot]

Change https://go.dev/cl/458335 mentions this issue: syscall: add jail support to ForkExec on FreeBSD

[gopherbot]

Change https://go.dev/cl/498376 mentions this issue: doc/go1.21: mention syscall package changes