From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <hjl.tools@gmail.com>
Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com
 [IPv6:2607:f8b0:4864:20::529])
 by sourceware.org (Postfix) with ESMTPS id 731BC3858C3B
 for <libc-alpha@sourceware.org>; Sun, 29 Aug 2021 13:47:52 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 731BC3858C3B
Received: by mail-pg1-x529.google.com with SMTP id n18so10747022pgm.12
 for <libc-alpha@sourceware.org>; Sun, 29 Aug 2021 06:47:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=ixwJRZwMJJqp/J41e1KChwaDGuNjDmuP0Oupg5qAUpA=;
 b=iE2cO4aFhglT5btXoGgcyO4xgvbzSeBM7NQAnKh+pSXR8GP6ZdpV5dihuSQKe/gkL8
 0vg9gx2XAYvYFWEQ96J8JOJRZdGlftIMUIHRJvDRJSmRUjjgJ2EQmo29yNgdNStQBgpL
 1JDHTgzPJjGvDxmr/LZFIWYCceNlx785MsUlAT7HGJYDnNiiOmx3YI+Ztkxc4kXaU9SE
 1ywun1EIwOjvQq3ZXQb3qehqfzi2vcLrMCrjsPrQrrQ18lZAOoIZq1kQpZXCFJCTgEBp
 8/WJZ/JlOQgPCQFCDyzSMu7J/HEfdxzq8lpwib73BHWPot9f+Xu7c5gj4bFIyiaGA8ZZ
 ZOBA==
X-Gm-Message-State: AOAM530uN3zZpy+xVliMNSumMecLc7oMWnngOZWxGcMSsV7TqOEKG+qe
 QMQ5RxNAvFFai/2rINbmcQXdPY1LoXQF3Fn5v5M=
X-Google-Smtp-Source: ABdhPJxv4TZjzTcMRNfVTmclIysE13MfnQQLuXzRz+ieKXjPctCgGjasgtHHGfjN+IW0m17tb0ZPvCJlwn7mbkjzqzE=
X-Received: by 2002:a05:6a00:13a5:b0:3ee:3f60:ab0d with SMTP id
 t37-20020a056a0013a500b003ee3f60ab0dmr18701776pfg.48.1630244871520; Sun, 29
 Aug 2021 06:47:51 -0700 (PDT)
MIME-Version: 1.0
References: <20210829132954.18148-1-hongxu.jia@windriver.com>
In-Reply-To: <20210829132954.18148-1-hongxu.jia@windriver.com>
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Sun, 29 Aug 2021 06:47:15 -0700
Message-ID: <CAMe9rOp9ojskBV-HRDy_yaP4DkHn=-jEPqMujW4gE1-j7azJaQ@mail.gmail.com>
Subject: Re: [PATCH] fix create thread failed in unprivileged process [BZ
 #28287]
To: Hongxu Jia <hongxu.jia@windriver.com>
Cc: GNU C Library <libc-alpha@sourceware.org>, 
 Adhemerval Zanella <adhemerval.zanella@linaro.org>, 
 Richard Purdie <richard.purdie@linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-3030.9 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Aug 2021 13:48:02 -0000

On Sun, Aug 29, 2021 at 6:29 AM Hongxu Jia <hongxu.jia@windriver.com> wrote:
>
> Since commit [d8ea0d0168 Add an internal wrapper for clone, clone2 and clone3]
> applied, start a unprivileged container (docker run without --privileged),
> it creates a thread failed in container.
>
> In commit d8ea0d0168, it calls __clone3 if HAVE_CLONE3_WAPPER is defined.  If
> __clone3 returns -1 with ENOSYS, fall back to clone or clone2.
>
> As known from [1], cloneXXX fails with EPERM if CLONE_NEWCGROUP,
> CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, or CLONE_NEWUTS
> was specified by an unprivileged process (process without CAP_SYS_ADMIN)

I don't think the description is accurate.  In your test, none
of the mentioned flags are used directly.  The real bug is
that the container you used blocks the normal clone3 and
sets errno to EPERM.  The question is if/how glibc should
work arounds the clone3 bug in containers.   We want to add
a public clone3 wrapper to glibc in the future.  But before we
do that, all these containers should be changed to ENOSYS
if clone3 is blocked.

> [1] https://man7.org/linux/man-pages/man2/clone3.2.html
>
> So if __clone3 returns -1 with EPERM, fall back to clone or clone2 could
> fix the issue. Here are the test steps:
>
> 1) Prepare test code
> cat > conftest.c <<ENDOF
>  #include <pthread.h>
>  #include <stdio.h>
>
> int check_me = 0;
> void* func(void* data) {check_me = 42; printf("start thread: check_me %d\n", check_me); return &check_me;}
> int main()
> {
>   pthread_t t;
>   void *ret;
>   pthread_create (&t, 0, func, 0);
>   pthread_join (t, &ret);
>   printf("check_me %d, p %p\n", check_me, &ret);
>   return (check_me != 42 || ret != &check_me);
> }
>
> ENDOF
>
> 2) Compile
> gcc -o conftest -pthread conftest.c
>
> 3) Start a container with glibc 2.34 installed
> [skip details]
> docker run -it <container-image-name> bash
>
> 4) Run conftest without this patch
> $ ./conftest
> check_me 0, p 0x7ffd91ccd400
>
> 5) Run conftest with this patch
> $ ./conftest
> start thread: check_me 42
> check_me 42, p 0x7ffe253c6f20
>
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> ---
>  sysdeps/unix/sysv/linux/clone-internal.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/sysdeps/unix/sysv/linux/clone-internal.c b/sysdeps/unix/sysv/linux/clone-internal.c
> index 979f7880be..97101994e8 100644
> --- a/sysdeps/unix/sysv/linux/clone-internal.c
> +++ b/sysdeps/unix/sysv/linux/clone-internal.c
> @@ -52,7 +52,7 @@ __clone_internal (struct clone_args *cl_args,
>    /* Try clone3 first.  */
>    int saved_errno = errno;
>    ret = __clone3 (cl_args, sizeof (*cl_args), func, arg);
> -  if (ret != -1 || errno != ENOSYS)
> +  if (ret != -1 || (errno != ENOSYS && errno != EPERM))
>      return ret;
>
>    /* NB: Restore errno since errno may be checked against non-zero
> --
> 2.30.2
>


-- 
H.J.