| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 06 Oct 2018 22:56:23 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: Aleksa Sarai <cyphar@...har.com>
Cc: Andy Lutomirski <luto@...capital.net>,
Jann Horn <jannh@...gle.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>, jlayton@...nel.org,
Bruce Fields <bfields@...ldses.org>,
Al Viro <viro@...iv.linux.org.uk>,
Arnd Bergmann <arnd@...db.de>, shuah@...nel.org,
David Howells <dhowells@...hat.com>,
Andy Lutomirski <luto@...nel.org>, christian@...uner.io,
Tycho Andersen <tycho@...ho.ws>,
kernel list <linux-kernel@...r.kernel.org>,
linux-fsdevel@...r.kernel.org,
linux-arch <linux-arch@...r.kernel.org>,
linux-kselftest@...r.kernel.org, dev@...ncontainers.org,
containers@...ts.linux-foundation.org,
Linux API <linux-api@...r.kernel.org>
Subject: Re: [PATCH 2/3] namei: implement AT_THIS_ROOT chroot-like path resolution
* Aleksa Sarai:
> On 2018-10-01, Andy Lutomirski <luto@...capital.net> wrote:
>> >>> Currently most container runtimes try to do this resolution in
>> >>> userspace[1], causing many potential race conditions. In addition, the
>> >>> "obvious" alternative (actually performing a {ch,pivot_}root(2))
>> >>> requires a fork+exec which is *very* costly if necessary for every
>> >>> filesystem operation involving a container.
>> >>
>> >> Wait. fork() I understand, but why exec? And actually, you don't need
>> >> a full fork() either, clone() lets you do this with some process parts
>> >> shared. And then you also shouldn't need to use SCM_RIGHTS, just keep
>> >> the file descriptor table shared. And why chroot()/pivot_root(),
>> >> wouldn't you want to use setns()?
>> >
>> > You're right about this -- for C runtimes. In Go we cannot do a raw
>> > clone() or fork() (if you do it manually with RawSyscall you'll end with
>> > broken runtime state). So you're forced to do fork+exec (which then
>> > means that you can't use CLONE_FILES and must use SCM_RIGHTS). Same goes
>> > for CLONE_VFORK.
>>
>> I must admit that I’m not very sympathetic to the argument that “Go’s
>> runtime model is incompatible with the simpler solution.”
>
> Multi-threaded programs have a similar issue (though with Go it's much
> worse). If you fork a multi-threaded C program then you can only safely
> use AS-Safe glibc functions (those that are safe within a signal
> handler). But if you're just doing three syscalls this shouldn't be as
> big of a problem as Go where you can't even do said syscalls.
The situation is a bit more complicated. There are many programs out
there which use malloc and free (at least indirectly) after a fork,
and we cannot break them. In glibc, we have a couple of subsystems
which are put into a known state before calling the fork/clone system
call if the application calls fork. The price we pay for that is a
fork which is not POSIX-compliant because it is not async-signal-safe.
Admittedly, other libcs chose different trade-offs.
However, what is the same across libcs is this: You cannot call the
clone system call directly and get a fully working new process. Some
things break. For example, for recursive mutexes, we need to know the
TID of the current thread, and we cannot perform a system call to get
it for performance reasons. So everyone has a TID cache for that.
But the TID cache does not get reset when you bypass the fork
implementation in libc, so you end up with subtle corruption bugs on
TID reuse.
So I'd say that in most cases, the C situation is pretty much the same
as the Go situation. If I recall correctly, the problem for Go is
that it cannot call setns from Go code because it fails in the kernel
for multi-threaded processes, and Go processes are already
multi-threaded when user Go code runs.
Powered by blists - more mailing lists