From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by sourceware.org (Postfix) with ESMTPS id E160C3858403 for ; Sun, 29 Aug 2021 14:46:36 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org E160C3858403 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=windriver.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=windriver.com Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 17TEexOs025402; Sun, 29 Aug 2021 14:46:33 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=subject : from : to : cc : references : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS06212021; bh=oOQabMHrj2yFZQPEvuuSoHL2Mbt7vtGVdLn192aPYIU=; b=h4xpYwGdeSuv/pDi6Uh62RY7iIY9RNzOHlYazle2ksiTIp93AkcIWrIuceZNZ6ldvsSx Sdy6lMgXWSAB93uJN1FszqVtJyhLqyBgTpbyneQ7kyrzSQNRCBxZ+d2i9zcVYRKymgHw lwX8svBrgxQhCIW0Mj3GWM/kXOXfRrjGdP6q4VCGYOHH0An+uwSIU5oxPb3X5mhcUJ/H V9P2UhSvw6omxyXv3/ewwmDAqWGqV6ErZ/LoUYI3tw7oxe+9rncZUdPGIvdOnvddEd5v B1kPZdnSCIk/Lo3+K8k3bJDNj00YdG6o4XC8cOwXPOgwhYGvVT0ehaQpi/cmLHd03t7Y NQ== Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2103.outbound.protection.outlook.com [104.47.58.103]) by mx0a-0064b401.pphosted.com with ESMTP id 3ar9pjr201-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 29 Aug 2021 14:46:33 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=I0b4qpclaY0wEYLkmf5DkPCQaP1UKvsEIAHwpnbLaNyDUAYpl2Bbl+UP0N7uSzmOEbLL6C5ssGiA/OOtp7VKhfMcPOisEEBtP60AtJYzqTldu4a4VaoODtpSZE6GM3XyxhMXxwrveg+2kiuNJsGzi0J3cM3jgfUvoQB3DE/e5n2s7+v7OIdGErmk41862gKMlLU77Dy/bHakXahXkP30XFZ5PPsInwU4Qt8b+AJt6evk4Ia4gYbsceB6AzurRrYFK8XDoMKncNndkNIKiZsOnC+OAdHZ13/PUGzwEjTptAH2/uyQN+obT97I8jbiBrGjl46piY/0xh1eo+5Q02fOOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oOQabMHrj2yFZQPEvuuSoHL2Mbt7vtGVdLn192aPYIU=; b=YYxzX5jTwRM+TnG3bgy4bjqNIODX/IcA8MGhht7q/7CwTH7J2IZby46575idzdoYEKMiiz7vTMNPGLlXrkFjfQbMc1OTOGol8V9xLFd6Y8BnHRf0mJwxi8+U1ANiSk8/5echyIXYjmP1PN81iXYGUOSkSvfIaAfZDtmA7+Yso/r/Htv+LWaozPpfsbk0ygTvKRrI29X036LV17N/OHXhUZAfXjd8k8DDeKsk/2iwEH2I3nTBXKsl5YLfbrrPhl6OZEwNZQF+kn8/OVbRODyINFO3KvmKx7SFlB+46gVCkY7M9Tbr/ekbGpoFQ0eS5jU7rMU8GylMqWuoOstlviOU8Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Authentication-Results: linuxfoundation.org; dkim=none (message not signed) header.d=none;linuxfoundation.org; dmarc=none action=none header.from=windriver.com; Received: from MW3PR11MB4633.namprd11.prod.outlook.com (2603:10b6:303:5b::9) by MWHPR11MB1776.namprd11.prod.outlook.com (2603:10b6:300:110::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.23; Sun, 29 Aug 2021 14:46:29 +0000 Received: from MW3PR11MB4633.namprd11.prod.outlook.com ([fe80::d1c0:bab8:4a6a:edf8]) by MW3PR11MB4633.namprd11.prod.outlook.com ([fe80::d1c0:bab8:4a6a:edf8%2]) with mapi id 15.20.4457.024; Sun, 29 Aug 2021 14:46:29 +0000 Subject: Re: [PATCH] fix create thread failed in unprivileged process [BZ #28287] From: Hongxu Jia To: "H.J. Lu" Cc: GNU C Library , Adhemerval Zanella , Richard Purdie References: <20210829132954.18148-1-hongxu.jia@windriver.com> Message-ID: <5525f5aa-b26a-4953-3bcf-b591d4626806@windriver.com> Date: Sun, 29 Aug 2021 22:46:21 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-ClientProxiedBy: HK0PR03CA0102.apcprd03.prod.outlook.com (2603:1096:203:b0::18) To MW3PR11MB4633.namprd11.prod.outlook.com (2603:10b6:303:5b::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [128.224.162.148] (60.247.85.82) by HK0PR03CA0102.apcprd03.prod.outlook.com (2603:1096:203:b0::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.18 via Frontend Transport; Sun, 29 Aug 2021 14:46:28 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ea8ad40c-c752-4b24-6fbf-08d96afbc94d X-MS-TrafficTypeDiagnostic: MWHPR11MB1776: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2449; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: v5wJA5+ImvGQTXH/ILmW5Wdz4sHt/sUbLWCKVU7yW5+WWdHLCATU6Mkdr8miQF8gaTZWt7YjX+MPV8xPeubAvvGcHSrdJvv31jAkyBPfpAW5oPetM0cgIFzyXlAuEYBzGWjvJ7HtTLxKmNrH2G+5hWTNkmsTKCQMT1+Csf45quwow1BIQyNRr7F2mCaZhz2CEQb4IFZeXp/aOKiYoN2UKpHWFQx0Pm0La1LTehu8Qpoq2RXAtVmNisHSP67cmfKcGLtzHHg5r8AjlzXLnEpT7LqgnknAIN+iNYA5Fcrf6tix8n8jFUj/ispmgNL8jbZuRmlzyiYj+v3dDZJ7N41PTvHb2yR7w2hyv27N1j1IwNceS4NFfvwNgPeEcDlEpV99lgPc2PpmFrG4Yzp42gOI+qNUP1kCI26Zpbfopg03v7ggFi8TQIvSZhMAnESQJgZnyhl2WWGKpxhPYKXxkRS84HftjN8YzIbPeGC7YoqgAsbYryQtC5JO0tbLMmkSjOlSy6Enx64892Lz2OSTDXOAPQBemv/HwQNx6ruF+du1eEqtfO8u3YR46TCvb3KliO4X2ezLdkWnja0X2KexB2+wv6kqNXSd41A2dNgzxgMsjarWsirDtcrT/CIYhRagXBXc5kPtGMK/x090hh+fhMreBxpEGkSGfNIheA487PdX5/I3zl0Zt6m/m12nf9EWrmCMLxPaqerlKr6s+a1fv2eqqYkmynWYU25frDuhxo8w8zyJRPEGIvZV3uTwTIekDRYIET7biAeUU5FesGwaoOQYdGHhR70bgL8KuIPPezS4a99Sq5AuJNJFHFPQgcdaIsXi7cbPSr2Irz6uem3ICMC5hlMwuxns+1+ZEIOzHvAmxw+7fSfg775ft7KRST/3IDtltpKWI1UDH4d/2NKG/mu5s1rpZ1XppKjFcX8lwS2HsDQ= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW3PR11MB4633.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(54906003)(316002)(16576012)(83380400001)(4326008)(86362001)(44832011)(52116002)(66556008)(66476007)(66946007)(6706004)(186003)(2906002)(31696002)(53546011)(31686004)(6486002)(6916009)(38100700002)(8676002)(36756003)(5660300002)(8936002)(38350700002)(508600001)(966005)(956004)(26005)(6666004)(2616005)(78286007)(43740500002)(45980500001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?bjRUcWpoS3p5b0Q1Mk9yWDF4SDI4dFlYRFlrd1hPZVJHUnY1MlV0SkdYczZR?= =?utf-8?B?YXJqQkQ0M3hScFpNUUpJNHlxM1VEWnJYWVJtYklVdkxYdmxGd1NIVWVvcnox?= =?utf-8?B?eGZIWlM0WGk3Vk9YWndZRVhCU2UvV3VMSmtSbVBvQ0hRTXp1d1lNVUJOKzBm?= =?utf-8?B?YjdJcVNKL1JaaVRRNS9PRWkvMTZJS3htcEsyQzR0TzZ4YWlaU09SZTNLTmJp?= =?utf-8?B?TXVyc2R0dDdkN1NHVmhpR3piWkpnaWpMQnJUdjBCeE5iVE1yU3BPK1BvSjFS?= =?utf-8?B?REdLbmtYcXM3bG9YMmFEYUJkZWtmMUJXTW12VW1DLzZ3ZnBjSDcyNFlRQ0VM?= =?utf-8?B?c0tOZ2pwUUJnMEpVbVJCeTFVWGZnRnhyL2g0ckNKcW1veW9PYjBHWDc5bkdm?= =?utf-8?B?aWc2bmxsWHdkSWlOblhjQWdJV2pNdWl0SjVQcEd2WVFsRFRjQWtzUkM0enl4?= =?utf-8?B?dWo5NVRwekNwNGhYL21GT3J0MUt2UUtVRlJzc2JaOHp3YmhlZ05wN0ZTWjRJ?= =?utf-8?B?ZzIxOUJSNzFCMnUzd3E2TzFRSDhjZlBRNnpJU0lLaTgzZ2RqbGlKZ0k4WVZa?= =?utf-8?B?Q283Vk9KY1hncmYxNFR1MVF1N3hmdG9XQTRPQTQ5RWZsT2xKSExKazdkZUI0?= =?utf-8?B?cXkxaXlMK213dXhrWTBjVkVxS20rTnRPZGpyaUtXa0Z3S2s3OVBrN3VGeUtn?= =?utf-8?B?RzMvV2E5VjJGSndSNStuZzRJbGlhSkp0Z3g3QUw0Y3Y0eHZkS1Q2ZmtvRGUr?= =?utf-8?B?ZEZFREdJSTJycGN5NHdORHZ5ZG5pdlNnOTBUeHZYRUlTdHNETW9CZzlzZlhQ?= =?utf-8?B?eHFvYW1PMmtnTnJkdE56c1NLSlR1M0N6MXNONGNtSEhKamNreVpvVmdGZEFm?= =?utf-8?B?Y3dKS04rcFVCRlpUY3NOUGhTY1h5dlhOK0dLQk5zVzRuNFZiajNWWUpMdGtY?= =?utf-8?B?WC8rcFMwOU83TFNyaDAyU2x4SlA4QWkxMUgrVHcrbmF5ZGRFVDFWK3Uvalcy?= =?utf-8?B?Y3Mra0dJVWROS3lrZThvOUE1ejczWGVFNWFBdm91djMwWWM3Tk5EQ2ZraWor?= =?utf-8?B?dWZJZHpHcE4ycUhjUzNZTTlaTHZ6TGQ1dUtkakZScXZRaThpYUh5WGdrNlVt?= =?utf-8?B?a1JsM2dWVTFBY1FzN2VNUENDaWRQR1FBZG9GR2xuNEQ4L2ZLd3FLYWs0RE85?= =?utf-8?B?NThEUGxjYVRSWmVTQ0pHZnZud2ZjNyt0STZ1eTRzSW41TU5WYjlrWWdYb3hP?= =?utf-8?B?OEV4RWJLQ3dZYWVJb1YybGZnWCs2blJOekdCaFE1US9VNjdqV3pyaFB6WWFx?= =?utf-8?B?YkROQ3lSUW5yNDh4Q3dJUUg0SHpXSm0yaUtWVzJ1Tisrb3V4WHNtTWhkeHRl?= =?utf-8?B?SFl0M0NJRlZQRVJ6V21yVXNqa1F3d1hjaHkwdVgvWkJ6RHlMc0hjUStEck5L?= =?utf-8?B?QUhSQklCMzBQaUtXUUVTQUYwUVVVa3pHVkNpWi8vcG5hTndLbXYwOS9takI1?= =?utf-8?B?TDk0cGhXZ1dJR0l5TjRCT1QvZVFVN1h6MDBwVzRHbXJhN1BIZFJMc0lRVDFN?= =?utf-8?B?V2pLakZwR0g0U0NEK2MvaENsSlpnS0U0VDI4bmxKRm15Zk5sWkVMY1B5aUwz?= =?utf-8?B?aUE1ejgvNW5WK241aUx3dnVSamQwMkVGNVdhOGpjREhlWml0NmluSDY5SW9F?= =?utf-8?B?TWI4NGtkZElMMytnV2lNK3BsSktHRlZLV3VZWnFYQUVrMEw0cE1UR3VZRkVV?= =?utf-8?Q?EzWWUKUS1NTcm975/9prT00vViRrEZiTDMLN7+r?= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: ea8ad40c-c752-4b24-6fbf-08d96afbc94d X-MS-Exchange-CrossTenant-AuthSource: MW3PR11MB4633.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Aug 2021 14:46:29.7491 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: +LYh3nWJL37/VdDWTWokBZO0tSrasnWuLBJbtuVbsHG8jz+YreYQYsTnBatxmuvDCn+XHFrCEzuDN+3fKT3eYJ0R/X9lExE000cY2mDT+1s= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1776 X-Proofpoint-GUID: Lo9o-55ydmCrrNqTG23aSReYF3t8Jssq X-Proofpoint-ORIG-GUID: Lo9o-55ydmCrrNqTG23aSReYF3t8Jssq X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-08-29_05,2021-08-27_01,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 adultscore=0 phishscore=0 priorityscore=1501 impostorscore=0 lowpriorityscore=0 suspectscore=0 clxscore=1015 mlxscore=0 bulkscore=0 mlxlogscore=999 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108290093 X-Spam-Status: No, score=-13.9 required=5.0 tests=BAYES_00, BODY_8BITS, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, MSGID_FROM_MTA_HEADER, NICE_REPLY_A, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Aug 2021 14:46:47 -0000 With a simple search, the newest docker has correct the issue https://github.com/moby/moby/commit/9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594 but the commit only was applied on master, not any released version //Hongxu On 8/29/21 10:12 PM, Hongxu Jia wrote: > On 8/29/21 9:47 PM, H.J. Lu wrote: >> [Please note: This e-mail is from an EXTERNAL e-mail address] >> >> On Sun, Aug 29, 2021 at 6:29 AM Hongxu Jia >> wrote: >>> Since commit [d8ea0d0168 Add an internal wrapper for clone, clone2 >>> and clone3] >>> applied, start a unprivileged container (docker run without >>> --privileged), >>> it creates a thread failed in container. >>> >>> In commit d8ea0d0168, it calls __clone3 if HAVE_CLONE3_WAPPER is >>> defined.  If >>> __clone3 returns -1 with ENOSYS, fall back to clone or clone2. >>> >>> As known from [1], cloneXXX fails with EPERM if CLONE_NEWCGROUP, >>> CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, or CLONE_NEWUTS >>> was specified by an unprivileged process (process without >>> CAP_SYS_ADMIN) >> I don't think the description is accurate.  In your test, none >> of the mentioned flags are used directly.  The real bug is >> that the container you used blocks the normal clone3 and >> sets errno to EPERM.  The question is if/how glibc should >> work arounds the clone3 bug in containers.   We want to add >> a public clone3 wrapper to glibc in the future.  But before we >> do that, all these containers should be changed to ENOSYS >> if clone3 is blocked. > > You mean I should fix the container (here is the docker I used) to > correct > > EPERM to ENOSYS in this situation, but for the released/old docker, > > the pthread_create still does not work with glibc 2.34 in unprivileged > mode. > > In other word, should the new glibc consider backward compatibility > with others? > > //Hongxu > >>> [1] https://man7.org/linux/man-pages/man2/clone3.2.html >>> >>> So if __clone3 returns -1 with EPERM, fall back to clone or clone2 >>> could >>> fix the issue. Here are the test steps: >>> >>> 1) Prepare test code >>> cat > conftest.c <>>   #include >>>   #include >>> >>> int check_me = 0; >>> void* func(void* data) {check_me = 42; printf("start thread: >>> check_me %d\n", check_me); return &check_me;} >>> int main() >>> { >>>    pthread_t t; >>>    void *ret; >>>    pthread_create (&t, 0, func, 0); >>>    pthread_join (t, &ret); >>>    printf("check_me %d, p %p\n", check_me, &ret); >>>    return (check_me != 42 || ret != &check_me); >>> } >>> >>> ENDOF >>> >>> 2) Compile >>> gcc -o conftest -pthread conftest.c >>> >>> 3) Start a container with glibc 2.34 installed >>> [skip details] >>> docker run -it bash >>> >>> 4) Run conftest without this patch >>> $ ./conftest >>> check_me 0, p 0x7ffd91ccd400 >>> >>> 5) Run conftest with this patch >>> $ ./conftest >>> start thread: check_me 42 >>> check_me 42, p 0x7ffe253c6f20 >>> >>> Signed-off-by: Hongxu Jia >>> --- >>>   sysdeps/unix/sysv/linux/clone-internal.c | 2 +- >>>   1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/sysdeps/unix/sysv/linux/clone-internal.c >>> b/sysdeps/unix/sysv/linux/clone-internal.c >>> index 979f7880be..97101994e8 100644 >>> --- a/sysdeps/unix/sysv/linux/clone-internal.c >>> +++ b/sysdeps/unix/sysv/linux/clone-internal.c >>> @@ -52,7 +52,7 @@ __clone_internal (struct clone_args *cl_args, >>>     /* Try clone3 first.  */ >>>     int saved_errno = errno; >>>     ret = __clone3 (cl_args, sizeof (*cl_args), func, arg); >>> -  if (ret != -1 || errno != ENOSYS) >>> +  if (ret != -1 || (errno != ENOSYS && errno != EPERM)) >>>       return ret; >>> >>>     /* NB: Restore errno since errno may be checked against non-zero >>> -- >>> 2.30.2 >>> >> >> -- >> H.J. > >