Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proc: Fix /proc/cpuinfo not respecting personality #609

Merged
merged 1 commit into from
Sep 15, 2023
Merged

proc: Fix /proc/cpuinfo not respecting personality #609

merged 1 commit into from
Sep 15, 2023

Conversation

gibmat
Copy link
Contributor

@gibmat gibmat commented Sep 4, 2023

It was found that the personality within the container was not being properly respected, which for large numbers of CPUs would break reporting of /proc/cpuinfo in arm32 containers running on an arm64 host.

Tested on an arm64 QEMU VM; with this fix the 32bit container now properly reports /proc/cpuinfo. Shamelessly copied most of the code from the existing proc_read_with_personality().

Fixes: #608.

@gibmat
proc: Fix /proc/cpuinfo not respecting personality
fc8f593 
It was found that the personality within the container was not being
properly respected, which for large numbers of CPUs would break
reporting of /proc/cpuinfo in arm32 containers running on an arm64 host.

Signed-off-by: Mathias Gibbens <gibmat@debian.org>
@stgraber
Copy link
Member

stgraber commented Sep 8, 2023

@mihalicyn can you take a look?

@mihalicyn
Copy link
Member

@mihalicyn can you take a look?

sure! My bad that I've skipped that one.

@mihalicyn
Copy link
Member

LGTM!

Big thanks for noticing, debugging and fixing, Mathias!

I'll do some refactoring in the following PR.

@gibmat
Copy link
Contributor Author

gibmat commented Sep 15, 2023

Would it be possible to merge this in the next few days? I'd like to have the fix included in the Debian 12.2 point release (scheduled for Oct 7). Working back from that date, I need to have the updated package basically ready by the 23rd so there's plenty of time for the update to be approved and included by the release team.

@stgraber stgraber merged commit b69552a into lxc:main Sep 15, 2023
10 checks passed
@HorlogeSkynet HorlogeSkynet mentioned this pull request Apr 25, 2024
Closed
stgraber pushed a commit that referenced this pull request Jun 25, 2024
@HorlogeSkynet @stgraber
proc: checks system security policy before trying to get personalities
1dc4c22 
096972f and fc8f593 introduces task personalities retrieval to fix
incorrect /proc files info in some cases.
Linux governs access to personalities based on system ptrace policy,
which may be restricted by an LSM (e.g. Yama).

This patch implements a simple check for init's personality access to
make sure ptrace usage is allowed, and prevent access from containers to
proc files with "Permission denied" error if not.

> closes #636 (follow-up to #553 and #609).

Signed-off-by: Samuel FORESTIER <samuel+dev@forestier.app>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mihalicyn mihalicyn mihalicyn approved these changes

@stgraber stgraber stgraber approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Reading /proc/cpuinfo in a 32bit arm container on arm64 host fails for large numbers of CPUs
3 participants
@gibmat @stgraber @mihalicyn