[v5,0/2] Linux: Fix posix_spawn when user with time namespaces
Message ID | 20220530174918.3056804-1-adhemerval.zanella@linaro.org |
---|---|
Headers |
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id C5B44385E017 for <patchwork@sourceware.org>; Mon, 30 May 2022 17:49:57 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C5B44385E017 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1653932997; bh=P2bm4ZRk0+Rzoi2yo/PapXM9YvbyihP5xbE5ngtjfjI=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=YpmwQQbjUhRuLVuhzohr6wk+2dcV/foppkjcQW9Qh16dWZ2K1QZLtE+fYGnaEnsgn JgMJUheJM3QcDB4oLUt34zqZ/SV4gt6MgRxhE2YWuHjYCiZ/RvkkejK0nDwdG7t+kK ER7X+sSXCSY9klulIL9pEcN2qbYvFnoFeB6Q6E6M= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) by sourceware.org (Postfix) with ESMTPS id 57AAC384F024 for <libc-alpha@sourceware.org>; Mon, 30 May 2022 17:49:23 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 57AAC384F024 Received: by mail-ot1-x335.google.com with SMTP id t22-20020a0568301e3600b0060b333f7a1eso8141924otr.0 for <libc-alpha@sourceware.org>; Mon, 30 May 2022 10:49:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=P2bm4ZRk0+Rzoi2yo/PapXM9YvbyihP5xbE5ngtjfjI=; b=sGQCPm4zbTEAhNXzHWghh+iFpfDkOiUvZ2xfSINLHFUZ7o06UzFmQ/QtKm5rGtuRNb zdZVJYBl6WOsKrmhcPi5E1I/ydvLjxAKsL0WhUPMDAZkzTEuZWMqg0YQemTtVQqxweKz J/lVmJi/ABrgW0npxoLoBuzrUSQYml/GNJcHymQ3uzAC6P9NBZ36fUJWMcTU3LzjoBVZ /wb5K9cDoJAxbiN1oL45SbLsE0Wbd3Aad4c4BDWrRlTl3pSWShTBX/I1R8r3WPh+1lMe 7tTSNTubYfK1SjlT1I9RYIk0hQSAZRiWPoLyCq953tLxclcCSVWfGbaEG3kEeidfVhcZ hRbw== X-Gm-Message-State: AOAM533dV07dVkgDpki5mNj+AoEEW+QLIY/sxpjg0+XX3YZR1HeQmSci u78vbDEmB2GDPT4UnCsZEHfrA082Bd4kyg== X-Google-Smtp-Source: ABdhPJyyRjxFu/HCakKJOnz7feGllKVqStAyZp6Q51MFy1LTajgW+maGeFDmku4PykXAoUrYIXUYoA== X-Received: by 2002:a9d:798f:0:b0:60b:18f7:9cdb with SMTP id h15-20020a9d798f000000b0060b18f79cdbmr13863447otm.103.1653932962475; Mon, 30 May 2022 10:49:22 -0700 (PDT) Received: from birita.. ([2804:431:c7cb:9f85:32e5:37a2:c438:5101]) by smtp.gmail.com with ESMTPSA id a19-20020a544e13000000b0032af3cffac7sm4903227oiy.2.2022.05.30.10.49.21 for <libc-alpha@sourceware.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 May 2022 10:49:21 -0700 (PDT) To: libc-alpha@sourceware.org Subject: [PATCH v5 0/2] Linux: Fix posix_spawn when user with time namespaces Date: Mon, 30 May 2022 14:49:16 -0300 Message-Id: <20220530174918.3056804-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org> List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe> List-Archive: <https://sourceware.org/pipermail/libc-alpha/> List-Post: <mailto:libc-alpha@sourceware.org> List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help> List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=subscribe> From: Adhemerval Zanella via Libc-alpha <libc-alpha@sourceware.org> Reply-To: Adhemerval Zanella <adhemerval.zanella@linaro.org> Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org> |
Message
Adhemerval Zanella
May 30, 2022, 5:49 p.m. UTC
The patchset also adds some support to tests the fallback code to use only use CLONE_VFORK. It uses unshare directly because it simpler than add container support. v5: Use a MAP_SHARED page to communicate error on prepare phase from helper process. Adhemerval Zanella (2): support: Add support_enter_time_namespace linux: Add fallback for clone failure on posix_spawn (BZ #29115) posix/Makefile | 16 ++- posix/tst-spawn-chdir-timens.c | 2 + posix/tst-spawn-chdir.c | 7 ++ posix/tst-spawn-timens.c | 2 + posix/tst-spawn.c | 6 ++ posix/tst-spawn2-timens.c | 2 + posix/tst-spawn2.c | 8 ++ posix/tst-spawn4-timens.c | 2 + posix/tst-spawn4.c | 10 +- posix/tst-spawn5-timens.c | 2 + posix/tst-spawn5.c | 10 +- posix/tst-spawn6-timens.c | 2 + posix/tst-spawn6.c | 12 ++- support/Makefile | 1 + support/namespace.h | 5 + support/support_enter_time_namespace.c | 34 ++++++ sysdeps/unix/sysv/linux/spawni.c | 141 +++++++++++++++++-------- 17 files changed, 211 insertions(+), 51 deletions(-) create mode 100644 posix/tst-spawn-chdir-timens.c create mode 100644 posix/tst-spawn-timens.c create mode 100644 posix/tst-spawn2-timens.c create mode 100644 posix/tst-spawn4-timens.c create mode 100644 posix/tst-spawn5-timens.c create mode 100644 posix/tst-spawn6-timens.c create mode 100644 support/support_enter_time_namespace.c
Comments
On 5/30/22 13:49, Adhemerval Zanella via Libc-alpha wrote: > The patchset also adds some support to tests the fallback code > to use only use CLONE_VFORK. It uses unshare directly because > it simpler than add container support. > > v5: Use a MAP_SHARED page to communicate error on prepare phase from > helper process. The current progress is that it seems we may get the upstream Linux kernel to change the semantics of the time namespace to take effect only after exec for vfork. If that goes forward we won't need these changes? I'm trying to determine if these changes constitute a blocker for 2.36.
> On 11 Jul 2022, at 12:32, Carlos O'Donell <carlos@redhat.com> wrote: > > On 5/30/22 13:49, Adhemerval Zanella via Libc-alpha wrote: >> The patchset also adds some support to tests the fallback code >> to use only use CLONE_VFORK. It uses unshare directly because >> it simpler than add container support. >> >> v5: Use a MAP_SHARED page to communicate error on prepare phase from >> helper process. > > The current progress is that it seems we may get the upstream Linux kernel > to change the semantics of the time namespace to take effect only after > exec for vfork. If that goes forward we won't need these changes? > > I'm trying to determine if these changes constitute a blocker for 2.36. My understanding is even kernel does change or add a new flag to handle it, we still have released kernels that might hit this issue.
On 7/11/22 12:56, Adhemerval Zanella wrote: > > >> On 11 Jul 2022, at 12:32, Carlos O'Donell <carlos@redhat.com> wrote: >> >> On 5/30/22 13:49, Adhemerval Zanella via Libc-alpha wrote: >>> The patchset also adds some support to tests the fallback code >>> to use only use CLONE_VFORK. It uses unshare directly because >>> it simpler than add container support. >>> >>> v5: Use a MAP_SHARED page to communicate error on prepare phase from >>> helper process. >> >> The current progress is that it seems we may get the upstream Linux kernel >> to change the semantics of the time namespace to take effect only after >> exec for vfork. If that goes forward we won't need these changes? >> >> I'm trying to determine if these changes constitute a blocker for 2.36. > > My understanding is even kernel does change or add a new flag to handle > it, we still have released kernels that might hit this issue. Thanks. In which case I don't consider this a blocker for 2.36. It's a bug that we can fix in 2.37 and backport to 2.36 when we've completed the review. I've started looking at these changes but I think we need more testing in downstream. If we fix this when 2.37 opens we can start testing it in Fedora Rawhide early, and backport after we know we don't have further issues.
On 18/07/22 23:33, Carlos O'Donell wrote: > On 7/11/22 12:56, Adhemerval Zanella wrote: >> >> >>> On 11 Jul 2022, at 12:32, Carlos O'Donell <carlos@redhat.com> wrote: >>> >>> On 5/30/22 13:49, Adhemerval Zanella via Libc-alpha wrote: >>>> The patchset also adds some support to tests the fallback code >>>> to use only use CLONE_VFORK. It uses unshare directly because >>>> it simpler than add container support. >>>> >>>> v5: Use a MAP_SHARED page to communicate error on prepare phase from >>>> helper process. >>> >>> The current progress is that it seems we may get the upstream Linux kernel >>> to change the semantics of the time namespace to take effect only after >>> exec for vfork. If that goes forward we won't need these changes? >>> >>> I'm trying to determine if these changes constitute a blocker for 2.36. >> >> My understanding is even kernel does change or add a new flag to handle >> it, we still have released kernels that might hit this issue. > > Thanks. In which case I don't consider this a blocker for 2.36. It's a bug that we can fix > in 2.37 and backport to 2.36 when we've completed the review. I've started looking at these > changes but I think we need more testing in downstream. If we fix this when 2.37 opens we > can start testing it in Fedora Rawhide early, and backport after we know we don't have > further issues. > I agree, I have not added it as a 2.36 as blocker although it would be a good thing to have.
On 7/19/22 08:56, Adhemerval Zanella Netto wrote: > > > On 18/07/22 23:33, Carlos O'Donell wrote: >> On 7/11/22 12:56, Adhemerval Zanella wrote: >>> >>> >>>> On 11 Jul 2022, at 12:32, Carlos O'Donell <carlos@redhat.com> wrote: >>>> >>>> On 5/30/22 13:49, Adhemerval Zanella via Libc-alpha wrote: >>>>> The patchset also adds some support to tests the fallback code >>>>> to use only use CLONE_VFORK. It uses unshare directly because >>>>> it simpler than add container support. >>>>> >>>>> v5: Use a MAP_SHARED page to communicate error on prepare phase from >>>>> helper process. >>>> >>>> The current progress is that it seems we may get the upstream Linux kernel >>>> to change the semantics of the time namespace to take effect only after >>>> exec for vfork. If that goes forward we won't need these changes? >>>> >>>> I'm trying to determine if these changes constitute a blocker for 2.36. >>> >>> My understanding is even kernel does change or add a new flag to handle >>> it, we still have released kernels that might hit this issue. >> >> Thanks. In which case I don't consider this a blocker for 2.36. It's a bug that we can fix >> in 2.37 and backport to 2.36 when we've completed the review. I've started looking at these >> changes but I think we need more testing in downstream. If we fix this when 2.37 opens we >> can start testing it in Fedora Rawhide early, and backport after we know we don't have >> further issues. >> > > I agree, I have not added it as a 2.36 as blocker although it would be > a good thing to have. We'll review this again when 2.37 opens. Since the details are hidden behind the interfaces in spawni.c it could be backported safely.