update documentation to mention that x86 containers can, in rare cases, be affected by the personality-related error

robertkirkman · robertkirkman · commit ee8f9eae4ed0 · 2026-02-04T10:14:55.000-06:00
- I have discovered that it is possible to construct a convoluted situation in which a purely 64-bit x86 container running on a purely 64-bit x86 device can also be affected by the `personality`-related error, and that the `custom-docker-with-unrestricted-personality.patch` is also capable of preventing the error in that rare situation. Contact me if you would like to learn the steps to reproduce that situation.
diff --git a/README.md b/README.md
@@ -49,8 +49,9 @@ command:
 docker run --rm --privileged aptman/qus -s -- -p aarch64 arm
 ```
 
-Note that AArch64 and ARM containers sometimes work properly only in privileged
-mode, even on some real ARM devices. If you want your containers to have standard privileges, a custom
+Note that AArch64 and ARM containers (and in certain rare situations, some x86 containers)
+sometimes work properly only in privileged mode, even on some real ARM devices.
+If you want your containers to have standard privileges, a custom
 seccomp profile or a custom build of Docker might be required. The custom build
 of Docker limits the customizations to purely what is necessary for
 the `personality()` system call, leaving the security settings of all other system
@@ -134,7 +135,8 @@ Podman:
 
 There a number of known issues which may not be resolved:
 
-* ARM containers might require a custom seccomp profile or custom build of Docker to remove restrictions from the
+* ARM containers (and in certain rare situations, some x86 containers)
+  might require a custom seccomp profile or custom build of Docker to remove restrictions from the
   `personality()` system call.
 
 * When running certain multi threaded program in 32bit containers, the PIDs can 
diff --git a/custom-docker-with-unrestricted-personality.patch b/custom-docker-with-unrestricted-personality.patch
@@ -1,5 +1,6 @@
 This removes all restrictions from the personality() system call from within Docker, and
 is only necessary on some specific devices, including some ARM devices but not all ARM devices,
+and including some x86 devices in some rare situations but not all situations,
 and only when the --privileged and --security-opt arguments are either not working or not desired,
 which sometimes happens. This patch is designed for the docker.io package version 26.1.5 in
 Debian trixie: https://packages.debian.org/trixie/docker.io, but also works when rebased on other
