From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by sourceware.org (Postfix) with ESMTPS id B30763858403 for ; Sun, 29 Aug 2021 14:12:48 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org B30763858403 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=windriver.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=windriver.com Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 17TEAPAj019543; Sun, 29 Aug 2021 07:12:39 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS06212021; bh=lr3deb+W4dQyH3xIw3kB5rM5hl9fpllLVH6OHhl2mFQ=; b=pTJuodEwzeWLsWZlMg1Xh6kW32YTKR9Tria4Mb13oFSjG4EW96esRsC/DOxdqPRd2dhI WTGgzGHaKj3wfogCZdMc9usqGeygeIAacdZoz7aaN0/9ibuGsWsSGRo1HIliWNxg+yaR SNSkhvAhb8nmXmdEM5zWQA5OA+oWVYKo6HEy/8tTiBBvm1uMFqyrUhZQjPQLo7sxP460 mESQb4vxCBQnfoIADdvIQezefG68tAcU3NS/+M/iLvCcDEkNIw/Cmh8Pi2VhQ2rTbH1c CWwlfILv3TRnuZnAv1nRsLYykGqceEt7bYcviGlqcCsT6zAtHpBqA4D6AANWlOkNeigM uA== Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2102.outbound.protection.outlook.com [104.47.70.102]) by mx0a-0064b401.pphosted.com with ESMTP id 3aqmnjrjeg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 29 Aug 2021 07:12:38 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U+MAqX+da2pYxq6B1yCMP2g+aLieCeoquw/nEY/RqRWBiT7Yvdw665QYuzla/QcsgVapiSDymp0zVBuZ4UmLfoUvr7u6NOVSm/Hfusyg/2/jkng6ZMWGRaRKXKXqN3Duko4BMwcQvImIALha3qkY8vyJ1ZZG2Q2pIIUuEKKZ8213/b9yqKrdJp7xP7k5gurkbjS9Vjviafki4Tz7nbxh0M9dwJzw9RTaPpQqDfUfA0j96dG/ZwVXHdWpUSHkDcwPEAsjmXIeu3f/Yq7qTZbhvmVUgP9Gbd0ADv0kSKzcVAtsHOY0eNymmE99oef3gYykUxGXISUeXIilzptpfVywkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lr3deb+W4dQyH3xIw3kB5rM5hl9fpllLVH6OHhl2mFQ=; b=nTvLXIWuOIVCERV3qd9MLOOl26LH1mwinWgllQt+q00mzCV7q/lI+gIDm9wDzM9/+frjbN1hu4/n48bv3WMqYAfwhSQZxtbRLAb65w7qR1ahtMzvdl8gOgppQjoeir160YRPR6WVZkhXO9bVnQluHYcXrOnJjp+QF9kehqrMTPLNbtXQcdn0HeopCX3z7AvfcaqRt6yWT5zMv/TuNTV2qn4CRrEW+EirhgOaBWmyPQ9GaREepY5hUXMPpN+U9Fx7/hFLg4Qqf3zUpVMyonYdA14gWiNuK4dak70RApfw7jFVUao8KtqzI9q/bSKHOZoydt7VJ5gxxUNS/wxd+oRasQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Authentication-Results: linuxfoundation.org; dkim=none (message not signed) header.d=none;linuxfoundation.org; dmarc=none action=none header.from=windriver.com; Received: from MW3PR11MB4633.namprd11.prod.outlook.com (2603:10b6:303:5b::9) by MWHPR1101MB2125.namprd11.prod.outlook.com (2603:10b6:301:4d::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.20; Sun, 29 Aug 2021 14:12:36 +0000 Received: from MW3PR11MB4633.namprd11.prod.outlook.com ([fe80::d1c0:bab8:4a6a:edf8]) by MW3PR11MB4633.namprd11.prod.outlook.com ([fe80::d1c0:bab8:4a6a:edf8%2]) with mapi id 15.20.4457.024; Sun, 29 Aug 2021 14:12:36 +0000 Subject: Re: [PATCH] fix create thread failed in unprivileged process [BZ #28287] To: "H.J. Lu" Cc: GNU C Library , Adhemerval Zanella , Richard Purdie References: <20210829132954.18148-1-hongxu.jia@windriver.com> From: Hongxu Jia Message-ID: Date: Sun, 29 Aug 2021 22:12:30 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-ClientProxiedBy: HK2PR02CA0185.apcprd02.prod.outlook.com (2603:1096:201:21::21) To MW3PR11MB4633.namprd11.prod.outlook.com (2603:10b6:303:5b::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [128.224.162.148] (60.247.85.82) by HK2PR02CA0185.apcprd02.prod.outlook.com (2603:1096:201:21::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.17 via Frontend Transport; Sun, 29 Aug 2021 14:12:35 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: fbfa82bc-e90c-4f61-1071-08d96af70d87 X-MS-TrafficTypeDiagnostic: MWHPR1101MB2125: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1850; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: FsJttMaH/z0I9gN4AUT+Sn+ypphILcD7UG47lVvDAYW3lYfo43W16W2lDPTbMDOf1rAvy5Jw71KQdA26M3TpyFYlnoG+OEAXWO0W+9qCwAO86Qr0W0Wu/mNNdfEN+sWkDYVcuHLM3c21wwTnNRVNpZJpLGABb5480oiUm/qQnGI39TFFp/IFWJ9WEyccvNVRz2lFqw/3QNdEBpefbyfsDDt0zZI11IgbFhB0KjQhiiqdT6UvN1v8agCJDMz3+VTzEMAUir05+7Q+GjHGWEP3LJRXUE9MXEkTfYG43AkeClow3Q/bUqaDgxRrVsOYoe1DWMBY6yy75n87PhQQ0owPpDEydAoZ1lc3Eo54u0FyEtPNW4DAC5SnysF50RQIxdLkE2GgmahoFZnRztdkxJQj9cSeHrUxr69ybsjUuM/+eBuQ0hIiiFUfGB9mezul/N5IamP3NRg32McmM29VFAgsQZKIX3lEwZ7rNxlRvSIGPw5F/V39AfTrgKdvo4LrstpgZZQJGyxKm/iGBgUsoGjHhBnj0bgdjAPTL6dPIvI70n98Lo/jx1HGeb4EUDhFrgpTILS5sjwyoaOxzZ2Mn+joCdKakLtV6Qp0ZdAzH0VFtG9lilvqxqg6CHrjAC2FdHuigK503loXaUWQTHnXxGYcr7nNii12N3g0l6Tx/YDa6SLscCsDQT3UzKWv1YiQe8UmhRljpm853Q2KyqXqX7ovzgpw1Rq/XZ5DMvN2R632mdOzKNd3ydqEHGH7OvAMl7uQVhdWBAehIFQQMwufDa3vYwSbbf/h3y3/Iflc3yFZpLDYxU7rhjCg6m4LKZHvgcBY2MhzITkoJLPelYhkoNkhafrvbin+/MbKFPHJR5jjQwhnpSKdgKg9pN4vRKQSB72t X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW3PR11MB4633.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(366004)(376002)(39830400003)(396003)(136003)(54906003)(8676002)(6706004)(6916009)(186003)(83380400001)(26005)(38100700002)(44832011)(66946007)(86362001)(52116002)(31696002)(6486002)(38350700002)(66556008)(66476007)(2906002)(53546011)(16576012)(966005)(956004)(6666004)(31686004)(8936002)(4326008)(478600001)(2616005)(36756003)(5660300002)(316002)(78286007)(43740500002)(45980500001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?YllEeFY3ZDhOQUxhVnZmRkg2UVhRNHJpLzhyeFYyaE5WYm13U1EraHRrLzM5?= =?utf-8?B?dEk1aTFpK1Bxb3Zya21lQmhEa3ZGdjk2clQ2eGQ4YlRycjZXV1J3ajJkSTJr?= =?utf-8?B?UGpROEdacER3ZEVyWWViOWJCTTlYZ0ZHeHNqUEtsT0pLVUx2b0dReENXZlRu?= =?utf-8?B?YStscjAxWGJ1RjR3Si92NURvMUxwVFhUMElNVFRSQ2pnSFBkSWNUbkpDWDNV?= =?utf-8?B?Uk9aVmZuc0Q1Z3RQbjlic0JTbU56Y0NOU0ZCbEJvQ2U2L3ZMeE5tdS9ib25Z?= =?utf-8?B?V0ZyRkx5V1VDNXBDYjJqQ0NiNVZsbll0UXZ0NU5nYUtNWHRrYy9TcDZUSC8x?= =?utf-8?B?VFJTc2Jia1lXUHVHSDNoUitSOCtsajEwSmI2OEJWN0dtYzZ6QnNkeHJQa1Q2?= =?utf-8?B?cU8wYzN2dWtRMlJobUpYNTU5bk1SSlJOOXBuK1F4RU1LY28yZklxMGRHUWdN?= =?utf-8?B?RzRjbjNkanBkNWRBOU1PeUZ6VXQvRnIxWXRubGJoRndxSmZCTjZFbEphbU9u?= =?utf-8?B?V3NVd2dJNG5GVkluUXJUZGZ6RVRsSnZ3c0FKTnljUVRkdUhRTVFnSy9vVWxV?= =?utf-8?B?SjNsVzFsWDhWMVQzZlZyb2NoNGNOK3RvZXVQSFd1RGduYlh0TncrZFZTUWg1?= =?utf-8?B?OG94ZUc5L3c2MXgycjJ1Qk1VSEM2aHZ5U1RhTTE2dmNXaTVpTnZxRERKVXMy?= =?utf-8?B?dE9QYUhicjYxM3Y4YkloeVRDZnFzV2h3SkJqajVYeDJPdzZBYnNNZXlMRWZR?= =?utf-8?B?blc0SmdaVmNaMCtZQVhZMkxlVmVUVmxxMmdoT1RLazdqSkU4MW1xSUJsbFZq?= =?utf-8?B?VHZvdkZjbEQ1dkZSODdmYW1xSHVzdUJubFQ1cjdFbFREODZKZ1NCa0UwNitz?= =?utf-8?B?TVRMTi9SVG9uU0FsTzA5djFUOW9IUzAxTElSN2FQdis2VVdUOVphblJsZ2J5?= =?utf-8?B?YkpPK3hHSVdXYUxKejQ3amlaNmRuUU1WY0xtQmw3WmZKTElYMzI0SHFEbUts?= =?utf-8?B?MnRxbGFkK2NUVGprS0REQm1ta1diaUFrVk1Kd0NvMnZuVDIyZFo1Z1VDQXdB?= =?utf-8?B?eDZKYi9XQjZtWER3VHdhY1FWUDVoL2kwUVlUci9FK1FaeWkrelRKRk5MVFIy?= =?utf-8?B?Szc5YjY0VXErSXdiSVllZFI3VktKZlNkb3B3YTlnM0lxVk5ndFFIYmN1S3lX?= =?utf-8?B?dW9saHpSRjVDTnFOYmhNbzJUaUpkcHo4SThBWjU1NjFtUzVRTFhyNkRGTnIx?= =?utf-8?B?dEEvOEc5KzNZWkdveEhCZnBndjBCVlMwdUd6SW5abDZzdklkYWFTMHlBaDFV?= =?utf-8?B?R0RZMzBCNWRTb0ZrVEFoNkpWOWdhRkZZQ1hNdUdzREFHdmJzc2ZGalZmUktw?= =?utf-8?B?ckhhbENQa1NmR0oyc1NBS1N1NU9pWDY0QmZQZzVOblRYcFZpcWxYaTlUODc4?= =?utf-8?B?a083TmRWTTB4OVhlOE5oUjdlZ3NlekNvb094NzMxNDU2czgzZHRoOWxSSVl3?= =?utf-8?B?WU0ybGpXNGNRWUJKcTNJRXZoZjVrTDJRRlE4a3d3NTFqcFpXdi9HcExIMW90?= =?utf-8?B?QkV5eHhFUjZ4TWVWQTcwWlcvWWhYTGhEaFRCUHZWbThSaktjaHJwSmVvUVZN?= =?utf-8?B?K0I1bkV1OUw4NVB4K20xUGpoZ0c1dVJOKzE0b1pQUWVscTExQW5kcGUyRG5V?= =?utf-8?B?WHgyZlFHN3ExWDQvUHJJL0hrNURmZnNVRkpUenlUbmFpTFFuK0ZmSHUrVHF1?= =?utf-8?Q?92rFd7ngysVLuX5S37ftPaErv1d7cVo22JtNZ25?= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: fbfa82bc-e90c-4f61-1071-08d96af70d87 X-MS-Exchange-CrossTenant-AuthSource: MW3PR11MB4633.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Aug 2021 14:12:36.8188 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: hDieOwDMtA/gFErTc1G8ovHFIGD33dPekXVcW8RDfDKhjGS31SwaQTTSJ9o009YTtHhZqcXcIPvqO5GNKYRYYBFrIb6baFz1Yz5+myO+9Nw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1101MB2125 X-Proofpoint-ORIG-GUID: I5Urf6TGq4HTmPw3QKS2xM6sLifMbZUJ X-Proofpoint-GUID: I5Urf6TGq4HTmPw3QKS2xM6sLifMbZUJ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-08-29_05,2021-08-27_01,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 bulkscore=0 malwarescore=0 mlxlogscore=999 impostorscore=0 phishscore=0 clxscore=1011 adultscore=0 suspectscore=0 priorityscore=1501 mlxscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108290088 X-Spam-Status: No, score=-15.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, MSGID_FROM_MTA_HEADER, NICE_REPLY_A, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Aug 2021 14:12:59 -0000 On 8/29/21 9:47 PM, H.J. Lu wrote: > [Please note: This e-mail is from an EXTERNAL e-mail address] > > On Sun, Aug 29, 2021 at 6:29 AM Hongxu Jia wrote: >> Since commit [d8ea0d0168 Add an internal wrapper for clone, clone2 and clone3] >> applied, start a unprivileged container (docker run without --privileged), >> it creates a thread failed in container. >> >> In commit d8ea0d0168, it calls __clone3 if HAVE_CLONE3_WAPPER is defined. If >> __clone3 returns -1 with ENOSYS, fall back to clone or clone2. >> >> As known from [1], cloneXXX fails with EPERM if CLONE_NEWCGROUP, >> CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, or CLONE_NEWUTS >> was specified by an unprivileged process (process without CAP_SYS_ADMIN) > I don't think the description is accurate. In your test, none > of the mentioned flags are used directly. The real bug is > that the container you used blocks the normal clone3 and > sets errno to EPERM. The question is if/how glibc should > work arounds the clone3 bug in containers. We want to add > a public clone3 wrapper to glibc in the future. But before we > do that, all these containers should be changed to ENOSYS > if clone3 is blocked. You mean I should fix the container (here is the docker I used) to correct EPERM to ENOSYS in this situation, but for the released/old docker, the pthread_create still does not work with glibc 2.34 in unprivileged mode. In other word, should the new glibc consider backward compatibility with others? //Hongxu >> [1] https://man7.org/linux/man-pages/man2/clone3.2.html >> >> So if __clone3 returns -1 with EPERM, fall back to clone or clone2 could >> fix the issue. Here are the test steps: >> >> 1) Prepare test code >> cat > conftest.c <> #include >> #include >> >> int check_me = 0; >> void* func(void* data) {check_me = 42; printf("start thread: check_me %d\n", check_me); return &check_me;} >> int main() >> { >> pthread_t t; >> void *ret; >> pthread_create (&t, 0, func, 0); >> pthread_join (t, &ret); >> printf("check_me %d, p %p\n", check_me, &ret); >> return (check_me != 42 || ret != &check_me); >> } >> >> ENDOF >> >> 2) Compile >> gcc -o conftest -pthread conftest.c >> >> 3) Start a container with glibc 2.34 installed >> [skip details] >> docker run -it bash >> >> 4) Run conftest without this patch >> $ ./conftest >> check_me 0, p 0x7ffd91ccd400 >> >> 5) Run conftest with this patch >> $ ./conftest >> start thread: check_me 42 >> check_me 42, p 0x7ffe253c6f20 >> >> Signed-off-by: Hongxu Jia >> --- >> sysdeps/unix/sysv/linux/clone-internal.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/sysdeps/unix/sysv/linux/clone-internal.c b/sysdeps/unix/sysv/linux/clone-internal.c >> index 979f7880be..97101994e8 100644 >> --- a/sysdeps/unix/sysv/linux/clone-internal.c >> +++ b/sysdeps/unix/sysv/linux/clone-internal.c >> @@ -52,7 +52,7 @@ __clone_internal (struct clone_args *cl_args, >> /* Try clone3 first. */ >> int saved_errno = errno; >> ret = __clone3 (cl_args, sizeof (*cl_args), func, arg); >> - if (ret != -1 || errno != ENOSYS) >> + if (ret != -1 || (errno != ENOSYS && errno != EPERM)) >> return ret; >> >> /* NB: Restore errno since errno may be checked against non-zero >> -- >> 2.30.2 >> > > -- > H.J.