public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/28287] New: create thread failed in unprivileged process
@ 2021-08-29 13:20 hongxu.jia at windriver dot com
2021-08-29 13:22 ` [Bug libc/28287] " hongxu.jia at windriver dot com
2021-08-29 20:27 ` fweimer at redhat dot com
0 siblings, 2 replies; 3+ messages in thread
From: hongxu.jia at windriver dot com @ 2021-08-29 13:20 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28287
Bug ID: 28287
Summary: create thread failed in unprivileged process
Product: glibc
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: hongxu.jia at windriver dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Since commit [d8ea0d0168 Add an internal wrapper for clone, clone2 and clone3]
applied, start a unprivileged container (docker run without --privileged),
it creates a thread failed in container.
In commit d8ea0d0168, it calls __clone3 if HAVE_CLONE3_WAPPER is defined. If
__clone3 returns -1 with ENOSYS, fall back to clone or clone2.
As known from [1], cloneXXX fails with EPERM if CLONE_NEWCGROUP,
CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, or CLONE_NEWUTS
was specified by an unprivileged process (process without CAP_SYS_ADMIN)
[1] https://man7.org/linux/man-pages/man2/clone3.2.html
So if __clone3 returns -1 with EPERM, fall back to clone or clone2 could
fix the issue. Here are the test steps:
1) Prepare test code
cat > conftest.c <<ENDOF
#include <pthread.h>
#include <stdio.h>
int check_me = 0;
void* func(void* data) {check_me = 42; printf("start thread: check_me %d\n",
check_me); return &check_me;}
int main()
{
pthread_t t;
void *ret;
pthread_create (&t, 0, func, 0);
pthread_join (t, &ret);
printf("check_me %d, p %p\n", check_me, &ret);
return (check_me != 42 || ret != &check_me);
}
ENDOF
2) Compile
gcc -o conftest -pthread conftest.c
3) Start a container with glibc 2.34 installed
[skip details]
docker run -it <container-image-name> bash
4) Run conftest that creates thread failed
$ ./conftest
check_me 0, p 0x7ffd91ccd400
5) Run conftest as expected
$ ./conftest
start thread: check_me 42
check_me 42, p 0x7ffe253c6f20
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug libc/28287] create thread failed in unprivileged process
2021-08-29 13:20 [Bug libc/28287] New: create thread failed in unprivileged process hongxu.jia at windriver dot com
@ 2021-08-29 13:22 ` hongxu.jia at windriver dot com
2021-08-29 20:27 ` fweimer at redhat dot com
1 sibling, 0 replies; 3+ messages in thread
From: hongxu.jia at windriver dot com @ 2021-08-29 13:22 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28287
Hongxu Jia <hongxu.jia at windriver dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|unspecified |2.34
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug libc/28287] create thread failed in unprivileged process
2021-08-29 13:20 [Bug libc/28287] New: create thread failed in unprivileged process hongxu.jia at windriver dot com
2021-08-29 13:22 ` [Bug libc/28287] " hongxu.jia at windriver dot com
@ 2021-08-29 20:27 ` fweimer at redhat dot com
1 sibling, 0 replies; 3+ messages in thread
From: fweimer at redhat dot com @ 2021-08-29 20:27 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28287
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Resolution|--- |MOVED
Status|UNCONFIRMED |RESOLVED
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
This is a bug in the container runtime.
We are not going to ignore EPERM errors in glibc. Patches along these lines
have already been rejected when this matter came up originally.
[PATCH] syscalls: Document OCI seccomp filter interactions & workaround
<https://lore.kernel.org/linux-api/87lfer2c0b.fsf@oldenburg2.str.redhat.com/>
[RFC PATCH] Linux: Add seccomp probing to faccessat2
<https://sourceware.org/pipermail/libc-alpha/2020-November/119955.html>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-29 20:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-29 13:20 [Bug libc/28287] New: create thread failed in unprivileged process hongxu.jia at windriver dot com
2021-08-29 13:22 ` [Bug libc/28287] " hongxu.jia at windriver dot com
2021-08-29 20:27 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).