From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <prvs=4875fc66cd=hongxu.jia@windriver.com>
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
 [205.220.166.238])
 by sourceware.org (Postfix) with ESMTPS id B041B3858403
 for <libc-alpha@sourceware.org>; Sun, 29 Aug 2021 16:03:20 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org B041B3858403
Authentication-Results: sourceware.org;
 dmarc=pass (p=none dis=none) header.from=windriver.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=windriver.com
Received: from pps.filterd (m0250809.ppops.net [127.0.0.1])
 by mx0a-0064b401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 17TG3EHE025303; 
 Sun, 29 Aug 2021 09:03:14 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com;
 h=subject : to : cc
 : references : from : message-id : date : in-reply-to : content-type :
 mime-version; s=PPS06212021;
 bh=suKPkdmM2ZUePfFDYu153/bYyd5NmVKsLawbHM62YkY=;
 b=juW5lUwbDf8zWnu5GRfuDGWp4Mle5xoYAPKBXUKe79UGDPWgFC3mtP5Kd1MJiDK0QBFY
 uoa5gn4YKh63zGEZOXMezrtCoOXlreax6o/T75EcKk7Rb9tOuNTY0A2nplidhK2RZM04
 NPO8zvJRE+uSguz65otl6F2er/sGfQybOHddSz8ua4L4SEOld9b0nwE0ZwSXMt5TAS7J
 ZxaORsGziHTzlSpQ0RXb7JL5wfIXFSsztjUFw5OLFPzNd6oZLk/Hefxr7DI+2WxA8DFv
 2AJZdYnJjUBhn8n6z/78IfNJGgcUZPhjKZf/ry6KomZnYfA2GCCC3KpoltaPpSi3lSXw Cg== 
Received: from nam12-mw2-obe.outbound.protection.outlook.com
 (mail-mw2nam12lp2042.outbound.protection.outlook.com [104.47.66.42])
 by mx0a-0064b401.pphosted.com with ESMTP id 3aqmnjrksf-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Sun, 29 Aug 2021 09:03:13 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=bzh9A9C/PvzIVlwuhDUUpL5woyVPyqIGSqiszrzLjwTGL/khT0o86UiZeig8rvvAPZ5n4ej7zQM8lZEz+mszvgXyf+M9Cm8CPtGlw8fejGgOFTsss7ce1WofRvYJvE+wJucCoLzg1iIpI7Ufu1OIKOiE+dPpqavT879iK5zDbY8/8cJHcitpiYdX15OSrmu2H9OgmcsHS3drUP+/ZBRtxMHfWJGiQGhS0F/tpWY62MpXwWLgOKbSfIv6YNPk6IG8XwGt0CbGm0/YqxELoS41RSuYSo0TsCQMxvhEb0u1zoSgpUmwjbvwFbx5qxqy5kP/75SEppTvAmscwQ/Wt4mMjA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=suKPkdmM2ZUePfFDYu153/bYyd5NmVKsLawbHM62YkY=;
 b=O3nWaNI7oCbfSTdGHHe/bUoHTmZF+A7ehshuUY+RQlasEcU0E2+7WoS46Z9mzXGNjpUqBSBwu0IYkgUPRTnnMsmTNqcI78HuXi0YpfEEaEkK+b84aoQZQYlFt0gqN6zcq9KQm6AK8LknYg4bHZcXDuQFaax4YiM/D9NAvBcUJU6yPpFZ/nrBOePI9lctGPPMTqOnUxSmE8chg57QTa0Ytlm5K1NVOl8eHtB4cEKJ45x/mnt3G72NukcpY2K+/T/4Hvmm3BBO/I0XKC0+xkhb11W7TnMr5ZZLsKNqSIr239BYekIzufJrlSY6QvvJLA4ThFmdaI9X0NLfH0+ONwp5Iw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=windriver.com; dmarc=pass action=none
 header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none
Authentication-Results: linuxfoundation.org; dkim=none (message not signed)
 header.d=none;linuxfoundation.org; dmarc=none action=none
 header.from=windriver.com;
Received: from MW3PR11MB4633.namprd11.prod.outlook.com (2603:10b6:303:5b::9)
 by MWHPR11MB1405.namprd11.prod.outlook.com (2603:10b6:300:21::19) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.17; Sun, 29 Aug
 2021 16:03:10 +0000
Received: from MW3PR11MB4633.namprd11.prod.outlook.com
 ([fe80::d1c0:bab8:4a6a:edf8]) by MW3PR11MB4633.namprd11.prod.outlook.com
 ([fe80::d1c0:bab8:4a6a:edf8%2]) with mapi id 15.20.4457.024; Sun, 29 Aug 2021
 16:03:10 +0000
Subject: Re: [PATCH] fix create thread failed in unprivileged process [BZ
 #28287]
To: "H.J. Lu" <hjl.tools@gmail.com>
Cc: GNU C Library <libc-alpha@sourceware.org>,
 Adhemerval Zanella <adhemerval.zanella@linaro.org>,
 Richard Purdie <richard.purdie@linuxfoundation.org>
References: <20210829132954.18148-1-hongxu.jia@windriver.com>
 <CAMe9rOp9ojskBV-HRDy_yaP4DkHn=-jEPqMujW4gE1-j7azJaQ@mail.gmail.com>
 <f0791211-12dc-f6e9-8468-b60f4aadc1c7@windriver.com>
 <CAMe9rOoJed7GxSRucS2=OEFHOTWwB1NaddRDS_cupobKsLxEyg@mail.gmail.com>
 <1c9b4070-e2dd-444e-2007-0102702cb090@windriver.com>
 <CAMe9rOrEP8N1VYgNiqpOaqYaO2rptXiSJTjWJf81VRWQhzoirw@mail.gmail.com>
From: Hongxu Jia <hongxu.jia@windriver.com>
Message-ID: <c21e3dc8-10c6-9a71-08ba-39e3b9352088@windriver.com>
Date: Mon, 30 Aug 2021 00:03:03 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.13.0
In-Reply-To: <CAMe9rOrEP8N1VYgNiqpOaqYaO2rptXiSJTjWJf81VRWQhzoirw@mail.gmail.com>
Content-Language: en-US
X-ClientProxiedBy: HK2PR04CA0063.apcprd04.prod.outlook.com
 (2603:1096:202:14::31) To MW3PR11MB4633.namprd11.prod.outlook.com
 (2603:10b6:303:5b::9)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [128.224.162.148] (60.247.85.82) by
 HK2PR04CA0063.apcprd04.prod.outlook.com (2603:1096:202:14::31) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.4457.17 via Frontend Transport; Sun, 29 Aug 2021 16:03:08 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: c6248bc1-2112-4615-a5b6-08d96b067f53
X-MS-TrafficTypeDiagnostic: MWHPR11MB1405:
X-Microsoft-Antispam-PRVS: <MWHPR11MB1405F36E99B55BC5BD0E2F5E94CA9@MWHPR11MB1405.namprd11.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:2887;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 8aETOcpAH+OpbaYooRyM6AVGQI2qyQBPQac+H8mNfhW0bz3g+5w8FuLt/dKSl7bByRmH1/BpRkkfde6GAQlOojrm5klksNjuiG0CoUjROCeZvg7od8936VIXl5on+w4nuWO5OlDG8KmUZUjeDhNBRPdAq4xYicSLU9MilVho9fxZjO76nAqyHVRJvKkEvR/+VRQFwRrgB9SXl9DA/cfRsWjOzqxoZ4xrNzthvhk7Q5oqqvSF5/Vg9hEDwpMszD/P9aAk+qqF6TtzfKUjWnZLJ1mFkFg0SegQ6axQxtIF8I2V5np0y7y2ErHb9ziFMNTKcdZi1YyrleqcYJfyUVKGcksrhV5DDTm9Lj0uUHJULzbz5PTRqsndRb//W20loptG5mKdZjSTNvIJdCHcLQtIUhbaXKS5HyRZpsnAwjWqNdE/PY37WjXm8Vbrg76jt6Y96SbHYz3y5DokG9OTRElhOObIRPWQE9OeL1YUI0boWKHqb5EpikZxtV+sECyczdtZ9Reu+nvYQ/oScMr1+Z8/RtmpoMLptInpGDb4NKwQaCim6eW9em7YJMUrtGErsTjSnVlZv0X3oM69ikllEBwMIi+vJVAvQXZif5iQmTrcl4naQWWs8f7DlJs4Yxf6acIvgsDkuRfNFe/CnB2VDo1zyIb2wP66pLUa6dgKVLrefHQRFdO0Jg6KmYjjUZs2VcG0MC5PlwFhh3N+Z71V/4jAm7wtL3BNUDmTNJXy3f9DraStlvX6KY7Zrz4JO7URTyhX9RPPUXHm5LZXqgtikAmW6AWupnT04g1ddqdW1TSlal0=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:MW3PR11MB4633.namprd11.prod.outlook.com; PTR:; CAT:NONE;
 SFS:(4636009)(396003)(376002)(366004)(39830400003)(136003)(346002)(86362001)(2616005)(83380400001)(52116002)(54906003)(44832011)(316002)(16576012)(36756003)(33964004)(6666004)(66946007)(66476007)(6486002)(2906002)(38100700002)(956004)(26005)(53546011)(31686004)(478600001)(5660300002)(38350700002)(6916009)(6706004)(8676002)(4326008)(66556008)(31696002)(8936002)(186003)(78286007)(45980500001)(43740500002);
 DIR:OUT; SFP:1101; 
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?U0I5ZTQrVldqK2Z1TnNlWkJEQ0lhK0dFMWZxYUcvTE1lWFRJR1RGcjlPT3F4?=
 =?utf-8?B?bGFZTjdqc1YwUW01cy9jc1gvMWN6RUNYR01HMmZIaUVkRWJjMzZxejNzRHdu?=
 =?utf-8?B?OHMzQ2ErR1R3Z3lCQlRLSTJEZXZUemdIbll4LzdsZ2IzMHh5TSswaUZWQjJ6?=
 =?utf-8?B?NERZLzBLWWVSMW0xYnA3Z25zbGdPZForZk9hbWFHT2tqRFhTa0VxWWhXRnVM?=
 =?utf-8?B?Z1VxV2RiZzliYURyS1h2VU9wQmlreEEvclFZZGdud3pGUEhxQnN2YjBRNzda?=
 =?utf-8?B?TjN4TFh1aDd0MU9WcmVKZHhjUEZueTZBYTVMRk1PT1Q3RWE3SlNGK1Rzd0Yv?=
 =?utf-8?B?REtJVUlQSUhNR3FCK1o5MWltTWdPeXNCU1lRM2tlcWtObzlsdkd5VmtDMnZp?=
 =?utf-8?B?TG9iN3JleVZBMElRM1VLMXBpeGdzUXpSdVBZS0pWb0dyeSt6Uzl5Wkt6ZWpm?=
 =?utf-8?B?RUYwWWc1T1F5VmE1MU8raEVScURWWFF1aTdFVG9MaWZJelAxdVlJNmtESEEz?=
 =?utf-8?B?SnI1YlZDMUZKRzhudVF2S2J3Ky9EMWl1dGsvTkRrbzRKbnhtM0c3eE5VMHBx?=
 =?utf-8?B?YUpQeWxCU3RZZmh2a0huSHhxdFkxbFRLaHJjUlFJQ1RKdlkzRE1HWFExdC9m?=
 =?utf-8?B?STVQNEJVOFNJeStFNkQxSFpzQnhUdHBraFIvMDdudy9lZXpVTTZuRkJuSVAr?=
 =?utf-8?B?S1g3TkhjbnRDbDJCQXMvWk9GS2Q3MnM2cUVpSFdiSG5DMW00azVSdi9ycW9q?=
 =?utf-8?B?b2tNMTlKRTFkeENCMnFQazl3Z0FUSTFpSkp1N3N0MWlmcjNSVnNOVDBVbVg4?=
 =?utf-8?B?bjlzY2xMSUFLdG80ckZFTUpPWG5naVRldnZjMUNhK2QrYk41VUorZUxVRHND?=
 =?utf-8?B?b2Z6RTU4cmxOL2V6cnZENXNWK1BXVXpNb1h0ck1ZaFEwWTY1WkZRU3o4b0E4?=
 =?utf-8?B?UCsvellaSExyb0Z2WHNSamZPNkJnekJlald0cGUzV2ljVmNoZkQ2QXZKakY4?=
 =?utf-8?B?c09yOC9aY1VpUkM0bzNOajFCbEtEaWxuNDdSdjJ0Y0w4WDlBcXBpb2JhZzl0?=
 =?utf-8?B?L3E4cUhJUWJZNnRaY1kxblpNOFVPQnZwQ3hVQlhrQVp3WlFjK05KeXYrTXlh?=
 =?utf-8?B?ckJjMlEyNGxNQ1c0Qm5DajRNaEJFZzJjVWFWMTQ4VlJ2UEN0MGprK0F6Zlgy?=
 =?utf-8?B?YWJzOU1zYmQ3N3MzRHZVWGtxTnN5WnlXR0QrZG5YSUU4QW1SakVJN2dMN2Ni?=
 =?utf-8?B?WnM1d1dpQ0lmQ0lmMHIxQnFjdk5ZWHUrNUVxM05Ic1VQQnhYODh2Qjl1VWg4?=
 =?utf-8?B?WUlnMVE3WFJ6WGtUWDg0Nyt5d3E5aXJqMEhkVmRXZTRvQlFCSERpdVBuTkZL?=
 =?utf-8?B?K1gwOWhtRzBLYW9iSCtzRGllUFh1MWhNN2o5ZGNYWG16L2ZZN3h1OE9UYVJL?=
 =?utf-8?B?VnpMOXFzS2F1N3lrZGpHY21VWGh1VUYrNVlWOXQvZkY3R0NOSVc1RXhtUWFp?=
 =?utf-8?B?eWEvL2xXSldxQXZoVEltZEJSbUxOK2RvU0ErWDFmMklLYlFyWi9qbktpTEVa?=
 =?utf-8?B?dURiQXN4bWdxOWdFZWlUa2ZuOVdGaW5ITm12Q1NJZ3pGVkY1UW5ZZ0FWRzEv?=
 =?utf-8?B?bXRoRWhTU0JkdnFhRWc3dmZOSzZ2UFZWY1pBNTVZN1lqS1IxVEx0RXcrWHVL?=
 =?utf-8?B?ZHBkYlk1elNuT0tUbEMzMVR3by9oWTZhcnArNzR0dUI3bEFtVThVa0tnNHBE?=
 =?utf-8?Q?a9STJHLGSPiRrXvqrXnDTf6u9Qz7D/Bg55zlSJT?=
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c6248bc1-2112-4615-a5b6-08d96b067f53
X-MS-Exchange-CrossTenant-AuthSource: MW3PR11MB4633.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Aug 2021 16:03:10.3175 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 5kuN7cAflfbQpQCXEHM5tR+FuYXjFdDdN8CdVr4PMD5XvZakx6MtGwm63m/cxincvQuzPKgQGljorKdlefr2GAaUJunF6T2GySJf+7e0J+w=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1405
X-Proofpoint-ORIG-GUID: zhtDHNK-jgFTrrm1Q2IviP5AGWpNTl7K
X-Proofpoint-GUID: zhtDHNK-jgFTrrm1Q2IviP5AGWpNTl7K
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475
 definitions=2021-08-29_05,2021-08-27_01,2020-04-07_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 lowpriorityscore=0
 bulkscore=0 malwarescore=0 mlxlogscore=999 impostorscore=0 phishscore=0
 clxscore=1015 adultscore=0 suspectscore=0 priorityscore=1501 mlxscore=0
 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2107140000 definitions=main-2108290102
X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, HTML_MESSAGE, MSGID_FROM_MTA_HEADER,
 NICE_REPLY_A, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Aug 2021 16:03:31 -0000

On 8/29/21 11:20 PM, H.J. Lu wrote:
> [Please note: This e-mail is from an EXTERNAL e-mail address]
>
> On Sun, Aug 29, 2021 at 7:50 AM Hongxu Jia <hongxu.jia@windriver.com> wrote:
>> On 8/29/21 10:43 PM, H.J. Lu wrote:
>>> [Please note: This e-mail is from an EXTERNAL e-mail address]
>>>
>>> On Sun, Aug 29, 2021 at 7:12 AM Hongxu Jia <hongxu.jia@windriver.com> wrote:
>>>> On 8/29/21 9:47 PM, H.J. Lu wrote:
>>>>> [Please note: This e-mail is from an EXTERNAL e-mail address]
>>>>>
>>>>> On Sun, Aug 29, 2021 at 6:29 AM Hongxu Jia <hongxu.jia@windriver.com> wrote:
>>>>>> Since commit [d8ea0d0168 Add an internal wrapper for clone, clone2 and clone3]
>>>>>> applied, start a unprivileged container (docker run without --privileged),
>>>>>> it creates a thread failed in container.
>>>>>>
>>>>>> In commit d8ea0d0168, it calls __clone3 if HAVE_CLONE3_WAPPER is defined.  If
>>>>>> __clone3 returns -1 with ENOSYS, fall back to clone or clone2.
>>>>>>
>>>>>> As known from [1], cloneXXX fails with EPERM if CLONE_NEWCGROUP,
>>>>>> CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, or CLONE_NEWUTS
>>>>>> was specified by an unprivileged process (process without CAP_SYS_ADMIN)
>>>>> I don't think the description is accurate.  In your test, none
>>>>> of the mentioned flags are used directly.  The real bug is
>>>>> that the container you used blocks the normal clone3 and
>>>>> sets errno to EPERM.  The question is if/how glibc should
>>>>> work arounds the clone3 bug in containers.   We want to add
>>>>> a public clone3 wrapper to glibc in the future.  But before we
>>>>> do that, all these containers should be changed to ENOSYS
>>>>> if clone3 is blocked.
>>>> You mean I should fix the container (here is the docker I used) to correct
>>>> EPERM to ENOSYS in this situation, but for the released/old docker,
>>>> the pthread_create still does not work with glibc 2.34 in unprivileged mode.
>>>>
>>>> In other word, should the new glibc consider backward compatibility with
>>>> others?
>>> I don't think we should hide the container bug in glibc.   Will a glibc tunable
>>> to disable the clone3 wrapper work here?
>> Yes, that's my plan B, disable it by removing the macro definition of
>> HAVE_CLONE3_WRAPPER in our Yocto's glibc
>>
> This is an option.  But this is not what I meant.  We can add
>
> $ export GLIBC_TUNABLES=glibc.syscall=disable_clone3
>
> to disable the clone3 wrapper.

Thank you very much, setting an environment is better than applying an 
patch to sources

but unfortunately, I set 'export 
GLIBC_TUNABLES=glibc.syscall=disable_clone3' in my glibc build 
environment, but it seems not work,

the issue still exists. I also apply it in my runtime container, it does 
not work neither.

My build environment is a Yocto project that supports cross compiling, I 
am not familiar with GLIBC_TUNABLES setting,

with a simple search in glibc sources, I do not find clues about 
glibc.syscall=disable_clone3

//Hongxu

//


>
> --
> H.J.