getboottime64() provides the time stamp of system boot. In case of time namespaces, the offset to the boot time stamp was not applied earlier. However, getboottime64 is used e.g., in /proc/stat to print the system boot time to userspace. In container runtimes which utilize time namespaces to virtualize boottime of a container, this leaks information about the host system boot time.
Therefore, we make getboottime64() to respect the time namespace offset for boottime by subtracting the boottime offset. Signed-off-by: Michael Weiß <michael.we...@aisec.fraunhofer.de> --- kernel/time/timekeeping.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c index 4c47f388a83f..67530cdb389e 100644 --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -17,6 +17,7 @@ #include <linux/clocksource.h> #include <linux/jiffies.h> #include <linux/time.h> +#include <linux/time_namespace.h> #include <linux/tick.h> #include <linux/stop_machine.h> #include <linux/pvclock_gtod.h> @@ -2154,6 +2155,8 @@ void getboottime64(struct timespec64 *ts) { struct timekeeper *tk = &tk_core.timekeeper; ktime_t t = ktime_sub(tk->offs_real, tk->offs_boot); + /* shift boot time stamp according to the timens offset */ + t = timens_ktime_to_host(CLOCK_BOOTTIME, t); *ts = ktime_to_timespec64(t); } -- 2.20.1