[Bug libc/28287] New: create thread failed in unprivileged process

[Bug libc/28287] New: create thread failed in unprivileged process

[hongxu.jia at windriver dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28287

            Bug ID: 28287
           Summary: create thread failed in unprivileged process
           Product: glibc
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: hongxu.jia at windriver dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Since commit [d8ea0d0168 Add an internal wrapper for clone, clone2 and clone3]
applied, start a unprivileged container (docker run without --privileged),
it creates a thread failed in container.

In commit d8ea0d0168, it calls __clone3 if HAVE_CLONE3_WAPPER is defined.  If  
__clone3 returns -1 with ENOSYS, fall back to clone or clone2.

As known from [1], cloneXXX fails with EPERM if CLONE_NEWCGROUP,
CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, or CLONE_NEWUTS
was specified by an unprivileged process (process without CAP_SYS_ADMIN)

[1] https://man7.org/linux/man-pages/man2/clone3.2.html

So if __clone3 returns -1 with EPERM, fall back to clone or clone2 could
fix the issue. Here are the test steps:

1) Prepare test code
cat > conftest.c <<ENDOF
 #include <pthread.h>
 #include <stdio.h>

int check_me = 0;
void* func(void* data) {check_me = 42; printf("start thread: check_me %d\n",
check_me); return &check_me;}
int main()
{
  pthread_t t;
  void *ret;
  pthread_create (&t, 0, func, 0); 
  pthread_join (t, &ret);
  printf("check_me %d, p %p\n", check_me, &ret);
  return (check_me != 42 || ret != &check_me);
}

ENDOF

2) Compile
gcc -o conftest -pthread conftest.c

3) Start a container with glibc 2.34 installed
[skip details]
docker run -it <container-image-name> bash

4) Run conftest that creates thread failed
$ ./conftest
check_me 0, p 0x7ffd91ccd400

5) Run conftest as expected
$ ./conftest
start thread: check_me 42
check_me 42, p 0x7ffe253c6f20

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/28287] create thread failed in unprivileged process

[hongxu.jia at windriver dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28287

Hongxu Jia <hongxu.jia at windriver dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|unspecified                 |2.34

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/28287] create thread failed in unprivileged process

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28287

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
         Resolution|---                         |MOVED
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
This is a bug in the container runtime.

We are not going to ignore EPERM errors in glibc. Patches along these lines
have already been rejected when this matter came up originally.

[PATCH] syscalls: Document OCI seccomp filter interactions & workaround
<https://lore.kernel.org/linux-api/87lfer2c0b.fsf@oldenburg2.str.redhat.com/>

[RFC PATCH] Linux: Add seccomp probing to faccessat2
<https://sourceware.org/pipermail/libc-alpha/2020-November/119955.html>

-- 
You are receiving this mail because:
You are on the CC list for the bug.