Reject CLONE_NEW* namespace flags in legacy clone(2)#46
Merged
Conversation
sys_clone forwarded raw flags to the posix_spawn-based fork path without inspecting CLONE_NEW* bits, so clone(CLONE_NEWPID, ...) silently created an unisolated child and returned a PID as if the namespace had been set up. clone3 already rejected the same flags with EINVAL, so the observable result depended on which entry point the caller used. Mirror the clone3 policy in sys_clone: reject any namespace flag with EINVAL. The exit signal occupies the CSIGNAL low byte in clone(2), so mask it off before testing. CLONE_NEWTIME (0x80) lives in that byte and, like CLONE_INTO_CGROUP (bit 33) and set_tid, cannot be conveyed through clone(2), so only the higher namespace bits are reachable. Move the namespace flag macros to the top of the file so both entry points share them. Add a regression test asserting clone(2) rejects each reachable CLONE_NEW* flag, matching the existing clone3 coverage. Closes sysprog21#44
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Contributor
|
Thank @Max042004 for contributing! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
sys_clone forwarded raw flags to the posix_spawn-based fork path without inspecting CLONE_NEW* bits, so clone(CLONE_NEWPID, ...) silently created an unisolated child and returned a PID as if the namespace had been set up. clone3 already rejected the same flags with EINVAL, so the observable result depended on which entry point the caller used.
Mirror the clone3 policy in sys_clone: reject any namespace flag with EINVAL. The exit signal occupies the CSIGNAL low byte in clone(2), so mask it off before testing. CLONE_NEWTIME (0x80) lives in that byte and, like CLONE_INTO_CGROUP (bit 33) and set_tid, cannot be conveyed through clone(2), so only the higher namespace bits are reachable. Move the namespace flag macros to the top of the file so both entry points share them.
Add a regression test asserting clone(2) rejects each reachable CLONE_NEW* flag, matching the existing clone3 coverage.
Closes #44
Summary by cubic
Reject CLONE_NEW* namespace flags in legacy clone(2) to match clone3 behavior. This fixes a bug where clone() would silently fork without isolation and pretend the namespace was created.
sys_clone, mask off the CSIGNAL byte and return EINVAL when any CLONE_NEW* bit is set (namespaces aren’t implemented).sys_cloneandsys_clone3, and add a regression test that asserts clone(2) rejects all reachable flags (excluding CLONE_NEWTIME in CSIGNAL).Written for commit 64ea4e3. Summary will update on new commits. Review in cubic