Implement personality(2) for no-op personality bits.

Fixes #10756

Author: EtiennePerot

pkg/abi/linux/BUILD

@@ -58,6 +58,7 @@ go_library(
         "netlink.go",
         "netlink_route.go",
         "nf_tables.go",
+        "personality.go",
         "poll.go",
         "prctl.go",
         "ptrace.go",

pkg/abi/linux/personality.go

@@ -0,0 +1,29 @@
+// Copyright 2024 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package linux
+
+// Personality flags, used by personality(2),
+// from include/uapi/linux/personality.h.
+const (
+	SHORT_INODE   = 0x1000000
+	WHOLE_SECONDS = 0x2000000
+	PER_LINUX     = 0x0000
+	PER_BSD       = 0x0006
+)
+
+// NOTE: All of the above flags are non-security-sensitive and may be copied
+// from parent task to child task. However, this is not the case for all
+// personality bits. If adding more, check PER_CLEAR_ON_SETID and ensure that
+// these are cleared on suid/sgid execs.

pkg/sentry/kernel/kernel.go

@@ -1157,6 +1157,7 @@ func (k *Kernel) CreateProcess(args CreateProcessArgs) (*ThreadGroup, ThreadID,
 		InitialCgroups:   args.InitialCgroups,
 		UserCounters:     k.GetUserCounters(args.Credentials.RealKUID),
 		Origin:           args.Origin,
+		Personality:      linux.PER_LINUX,
 		// A task with no parent starts out with no session keyring.
 		SessionKeyring: nil,
 	}

pkg/sentry/kernel/task.go

@@ -608,6 +608,9 @@ type Task struct {
 	// +checklocks:mu
 	sessionKeyring *auth.Key
 
+	// personality is the task's personality(2) bits.
+	personality atomicbitops.Uint32
+
 	// Origin is the origin of the task.
 	Origin TaskOrigin
 }
@@ -869,3 +872,14 @@ func (t *Task) ResetKcov() {
 		t.kcov = nil
 	}
 }
+
+// Personality returns the task's personality.
+func (t *Task) Personality() uint32 {
+	return t.personality.Load()
+}
+
+// SetPersonality sets the task's personality.
+// It returns the task's former personality.
+func (t *Task) SetPersonality(personality uint32) uint32 {
+	return t.personality.Swap(personality)
+}

pkg/sentry/kernel/task_clone.go

@@ -265,6 +265,7 @@ func (t *Task) Clone(args *linux.CloneArgs) (ThreadID, *SyscallControl, error) {
 		ContainerID:      t.ContainerID(),
 		UserCounters:     uc,
 		SessionKeyring:   sessionKeyring,
+		Personality:      t.personality.Load(),
 		Origin:           t.Origin,
 	}
 	if args.Flags&linux.CLONE_THREAD == 0 {

pkg/sentry/kernel/task_start.go

@@ -104,6 +104,9 @@ type TaskConfig struct {
 	// It may be nil.
 	SessionKeyring *auth.Key
 
+	// Personality is the personality of the parent task.
+	Personality uint32
+
 	Origin TaskOrigin
 }
 
@@ -174,6 +177,7 @@ func (ts *TaskSet) newTask(ctx context.Context, cfg *TaskConfig) (*Task, error)
 		cgroups:        make(map[Cgroup]struct{}),
 		userCounters:   cfg.UserCounters,
 		sessionKeyring: cfg.SessionKeyring,
+		personality:    atomicbitops.FromUint32(cfg.Personality),
 		Origin:         cfg.Origin,
 	}
 	t.netns = cfg.NetworkNamespace

pkg/sentry/syscalls/linux/BUILD

@@ -33,6 +33,7 @@ go_library(
         "sys_mount.go",
         "sys_mq.go",
         "sys_msgqueue.go",
+        "sys_personality.go",
         "sys_pipe.go",
         "sys_poll.go",
         "sys_prctl.go",

pkg/sentry/syscalls/linux/linux64.go

@@ -187,7 +187,7 @@ var AMD64 = &kernel.SyscallTable{
 		132: syscalls.Supported("utime", Utime),
 		133: syscalls.Supported("mknod", Mknod),
 		134: syscalls.Error("uselib", linuxerr.ENOSYS, "Obsolete", nil),
-		135: syscalls.ErrorWithEvent("personality", linuxerr.EINVAL, "Unable to change personality.", nil),
+		135: syscalls.PartiallySupported("personality", Personality, "Only setting no-op personality bits and retrieving them are supported.", nil),
 		136: syscalls.ErrorWithEvent("ustat", linuxerr.ENOSYS, "Needs filesystem support.", nil),
 		137: syscalls.Supported("statfs", Statfs),
 		138: syscalls.Supported("fstatfs", Fstatfs),
@@ -523,7 +523,7 @@ var ARM64 = &kernel.SyscallTable{
 		89:  syscalls.CapError("acct", linux.CAP_SYS_PACCT, "", nil),
 		90:  syscalls.Supported("capget", Capget),
 		91:  syscalls.Supported("capset", Capset),
-		92:  syscalls.ErrorWithEvent("personality", linuxerr.EINVAL, "Unable to change personality.", nil),
+		92:  syscalls.PartiallySupported("personality", Personality, "Only setting no-op personality bits and retrieving them are supported.", nil),
 		93:  syscalls.Supported("exit", Exit),
 		94:  syscalls.Supported("exit_group", ExitGroup),
 		95:  syscalls.Supported("waitid", Waitid),

pkg/sentry/syscalls/linux/sys_personality.go

@@ -0,0 +1,43 @@
+// Copyright 2024 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package linux
+
+import (
+	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/errors/linuxerr"
+	"gvisor.dev/gvisor/pkg/sentry/arch"
+	"gvisor.dev/gvisor/pkg/sentry/kernel"
+)
+
+const (
+	// getPersonality may be passed to `personality(2)` to get the current
+	// personality bits without modifying them.
+	getPersonality = 0xffffffff
+)
+
+// Personality implements Linux syscall personality(2).
+func Personality(t *kernel.Task, sysno uintptr, args arch.SyscallArguments) (uintptr, *kernel.SyscallControl, error) {
+	// allowedPersonalityBits are the personality bits that are allowed to be set.
+	const allowedPersonalityBits = linux.PER_LINUX | linux.PER_BSD | linux.SHORT_INODE | linux.WHOLE_SECONDS
+
+	personality := args[0].Uint()
+	if personality == getPersonality {
+		return uintptr(t.Personality()), nil, nil
+	}
+	if personality&allowedPersonalityBits != personality {
+		return 0, nil, linuxerr.EINVAL
+	}
+	return uintptr(t.SetPersonality(personality)), nil, nil
+}

test/syscalls/BUILD

@@ -479,6 +479,10 @@ syscall_test(
     test = "//test/syscalls/linux:pause_test",
 )
 
+syscall_test(
+    test = "//test/syscalls/linux:personality_test",
+)
+
 syscall_test(
     size = "medium",
     add_hostinet = True,