Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
[lxc/lxc] e5cc7a: lxc/start: do prctl(PR_SET_DUMPABLE) after last ui...
0 views
Skip to first unread message
Stéphane Graber
Apr 3, 2025, 9:07:31 AMApr 3
to lxc-...@lists.linuxcontainers.org
Branch: refs/heads/main
Home: https://github.com/lxc/lxc
Commit: e5cc7a6be277a3aa1873bcbf66eca6eaf3661ddf
https://github.com/lxc/lxc/commit/e5cc7a6be277a3aa1873bcbf66eca6eaf3661ddf
Author: Alexander Mikhalitsyn <aleksandr....@canonical.com>
Date: 2025-04-03 (Thu, 03 Apr 2025)
Changed paths:
M src/lxc/start.c
Log Message:
-----------
lxc/start: do prctl(PR_SET_DUMPABLE) after last uid/gid switch
We need to do prctl(PR_SET_DUMPABLE) later, after last lxc_switch_uid_gid()
call. Because otherwise, our earlier call won't be effective as commit_creds()
in the kernel [1] will set_dumpable(task->mm, suid_dumpable) if UID/GID or capabilities
were affected by lxc_switch_uid_gid() call.
This only affects LXC API ->start(struct lxc_container *c, int useinit, char *const argv[])
call when useinit == 1 because in this case we don't perform additinal exec() and
task's dumpable bit remains set to 2 (default value taken from /proc/sys/fs/suid_dumpable).
If useinit == 0, then we do exec() (see start_ops->start callback) and then dumblable
flag will be reset in begin_new_exec() to SUID_DUMP_USER=1 [2]. Then everything will be fine.
Reproducer (problem with lxc-attach).
1. Create unprivileged container
$ ./normalbuild/src/lxc/tools/lxc-create -n testcaps -t download
with busybox template and config:
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.init.uid = 1234
lxc.init.gid = 4321
lxc.init.cwd = /
lxc.sched.core = 1
2. Run a container with useinit = 1
$ ./lxcbuild/src/lxc/tools/lxc-execute -n testcaps -l TRACE -o /home/ubuntu/debug.log -- /bin/sleep 100
1. Try to attach
$ strace -f -e prctl ./normalbuild/src/lxc/tools/lxc-attach -n testcaps
prctl(PR_CAPBSET_READ, CAP_MAC_OVERRIDE) = 1
prctl(PR_CAPBSET_READ, 0x30 /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, CAP_CHECKPOINT_RESTORE) = 1
prctl(PR_CAPBSET_READ, 0x2c /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x2a /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x29 /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_SCHED_CORE, PR_SCHED_CORE_GET, 4124, 0 /* PIDTYPE_PID */, [0xd00f7fff]) = 0
strace: Process 4165 attached
strace: Process 4166 attached
[pid 4166] +++ exited with 0 +++
[pid 4164] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4166, si_uid=100000, si_status=0, si_utime=0, si_stime=0} ---
strace: Process 4167 attached
[pid 4167] prctl(PR_SCHED_CORE, PR_SCHED_CORE_SHARE_FROM, 1, 0 /* PIDTYPE_PID */, NULL) = -1 EPERM (Operation not permitted) <<<<< OOPS
[pid 4165] +++ exited with 0 +++
[pid 4164] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4165, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
lxc-attach: testcaps: ../src/lxc/attach.c: do_attach: 1160 Operation not permitted - Failed to join core scheduling domain of 4124
lxc-attach: testcaps: ../src/lxc/attach.c: do_attach: 1382 Failed to attach to container
prctl(PR_SCHED_CORE, PR_SCHED_CORE_SHARE_FROM...) fails with EPERM, because:
- container's init task->mm: (get_dumpable(mm) != SUID_DUMP_USER)
AND
- mm->user_ns == init_user_ns (as there was no exec() and mm_struct->user_ns was set in the initial
user namespace when we run lxc-execute)
( for more details see [3] )
[1] https://github.com/torvalds/linux/blob/acc4d5ff0b61eb1715c498b6536c38c1feb7f3c1/kernel/cred.c#L412
[2] https://github.com/torvalds/linux/blob/a2cc6ff5ec8f91bc463fd3b0c26b61166a07eb11/fs/exec.c#L1331
[3] https://github.com/torvalds/linux/blob/acc4d5ff0b61eb1715c498b6536c38c1feb7f3c1/kernel/ptrace.c#L344
Reported-by: Stéphane Graber <stgr...@stgraber.org>
Signed-off-by: Alexander Mikhalitsyn <aleksandr....@canonical.com>
Commit: 40f9f99b190fea1901bdc2a76ee15546c7b43558
https://github.com/lxc/lxc/commit/40f9f99b190fea1901bdc2a76ee15546c7b43558
Author: Stéphane Graber <stgr...@stgraber.org>
Date: 2025-04-03 (Thu, 03 Apr 2025)
Changed paths:
M src/lxc/start.c
Log Message:
-----------
Merge pull request #4535 from mihalicyn/core_sched_fail_fix
lxc/start: do prctl(PR_SET_DUMPABLE) after last uid/gid switch
Compare: https://github.com/lxc/lxc/compare/53e07509bf36...40f9f99b190f
To unsubscribe from these emails, change your notification settings at https://github.com/lxc/lxc/settings/notifications
Home: https://github.com/lxc/lxc
Commit: e5cc7a6be277a3aa1873bcbf66eca6eaf3661ddf
https://github.com/lxc/lxc/commit/e5cc7a6be277a3aa1873bcbf66eca6eaf3661ddf
Author: Alexander Mikhalitsyn <aleksandr....@canonical.com>
Date: 2025-04-03 (Thu, 03 Apr 2025)
Changed paths:
M src/lxc/start.c
Log Message:
-----------
lxc/start: do prctl(PR_SET_DUMPABLE) after last uid/gid switch
We need to do prctl(PR_SET_DUMPABLE) later, after last lxc_switch_uid_gid()
call. Because otherwise, our earlier call won't be effective as commit_creds()
in the kernel [1] will set_dumpable(task->mm, suid_dumpable) if UID/GID or capabilities
were affected by lxc_switch_uid_gid() call.
This only affects LXC API ->start(struct lxc_container *c, int useinit, char *const argv[])
call when useinit == 1 because in this case we don't perform additinal exec() and
task's dumpable bit remains set to 2 (default value taken from /proc/sys/fs/suid_dumpable).
If useinit == 0, then we do exec() (see start_ops->start callback) and then dumblable
flag will be reset in begin_new_exec() to SUID_DUMP_USER=1 [2]. Then everything will be fine.
Reproducer (problem with lxc-attach).
1. Create unprivileged container
$ ./normalbuild/src/lxc/tools/lxc-create -n testcaps -t download
with busybox template and config:
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.init.uid = 1234
lxc.init.gid = 4321
lxc.init.cwd = /
lxc.sched.core = 1
2. Run a container with useinit = 1
$ ./lxcbuild/src/lxc/tools/lxc-execute -n testcaps -l TRACE -o /home/ubuntu/debug.log -- /bin/sleep 100
1. Try to attach
$ strace -f -e prctl ./normalbuild/src/lxc/tools/lxc-attach -n testcaps
prctl(PR_CAPBSET_READ, CAP_MAC_OVERRIDE) = 1
prctl(PR_CAPBSET_READ, 0x30 /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, CAP_CHECKPOINT_RESTORE) = 1
prctl(PR_CAPBSET_READ, 0x2c /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x2a /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x29 /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_SCHED_CORE, PR_SCHED_CORE_GET, 4124, 0 /* PIDTYPE_PID */, [0xd00f7fff]) = 0
strace: Process 4165 attached
strace: Process 4166 attached
[pid 4166] +++ exited with 0 +++
[pid 4164] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4166, si_uid=100000, si_status=0, si_utime=0, si_stime=0} ---
strace: Process 4167 attached
[pid 4167] prctl(PR_SCHED_CORE, PR_SCHED_CORE_SHARE_FROM, 1, 0 /* PIDTYPE_PID */, NULL) = -1 EPERM (Operation not permitted) <<<<< OOPS
[pid 4165] +++ exited with 0 +++
[pid 4164] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4165, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
lxc-attach: testcaps: ../src/lxc/attach.c: do_attach: 1160 Operation not permitted - Failed to join core scheduling domain of 4124
lxc-attach: testcaps: ../src/lxc/attach.c: do_attach: 1382 Failed to attach to container
prctl(PR_SCHED_CORE, PR_SCHED_CORE_SHARE_FROM...) fails with EPERM, because:
- container's init task->mm: (get_dumpable(mm) != SUID_DUMP_USER)
AND
- mm->user_ns == init_user_ns (as there was no exec() and mm_struct->user_ns was set in the initial
user namespace when we run lxc-execute)
( for more details see [3] )
[1] https://github.com/torvalds/linux/blob/acc4d5ff0b61eb1715c498b6536c38c1feb7f3c1/kernel/cred.c#L412
[2] https://github.com/torvalds/linux/blob/a2cc6ff5ec8f91bc463fd3b0c26b61166a07eb11/fs/exec.c#L1331
[3] https://github.com/torvalds/linux/blob/acc4d5ff0b61eb1715c498b6536c38c1feb7f3c1/kernel/ptrace.c#L344
Reported-by: Stéphane Graber <stgr...@stgraber.org>
Signed-off-by: Alexander Mikhalitsyn <aleksandr....@canonical.com>
Commit: 40f9f99b190fea1901bdc2a76ee15546c7b43558
https://github.com/lxc/lxc/commit/40f9f99b190fea1901bdc2a76ee15546c7b43558
Author: Stéphane Graber <stgr...@stgraber.org>
Date: 2025-04-03 (Thu, 03 Apr 2025)
Changed paths:
M src/lxc/start.c
Log Message:
-----------
Merge pull request #4535 from mihalicyn/core_sched_fail_fix
lxc/start: do prctl(PR_SET_DUMPABLE) after last uid/gid switch
Compare: https://github.com/lxc/lxc/compare/53e07509bf36...40f9f99b190f
To unsubscribe from these emails, change your notification settings at https://github.com/lxc/lxc/settings/notifications
Reply all
Reply to author
Forward
0 new messages