Mirrors/criu

Fork 0

mirror of https://github.com/checkpoint-restore/criu.git synced 2026-01-23 18:25:14 +00:00

Commit graph

Author	SHA1	Message	Date
Tycho Andersen	cc9587ffc5	seccomp: is optional when parsing /proc/pid/status Also define some constants for people who don't have them in their headers. Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com> Acked-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>	2015-11-23 11:44:50 +03:00
Tycho Andersen	221af18ea0	seccomp: add support for SECCOMP_MODE_FILTER This commit adds basic support for dumping and restoring seccomp filters via the new ptrace interface. There are two current known limitations with this approach: 1. This approach doesn't support restoring tasks who first do a seccomp() and then a setuid(); the test elaborates on this and I don't think it is tough to do, but it is not done yet. 2. Filters are compared via memcmp(), so two tasks which have the same parent task and install identical (via memory) filters will have those filters considered to be the "same". Since we force all tasks to have the same creds (including seccomp filters) right now, this isn't a problem. The approach used here is very similar to the cgroup approach: the actual filters are stored in a seccomp.img, and each task has an id that points to the part of the filter tree it needs to restore. This keeps us from dumping the same filter multiple times, since filters are inherited on fork. v2: * remove unused seccomp_filters field from struct rst_info * rework memory layout for passing filters to restorer blob * add a sanity check when finding inherited filters Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>	2015-11-17 10:51:20 +03:00
Tycho Andersen	209693d49b	don't assume the kernel has CONFIG_SECCOMP linux/seccomp.h may not be available, and the seccomp mode might not be listed in /proc/pid/status, so let's not assume those two things are present. v2: add a seccomp.h with all the constants we use from linux/seccomp.h v3: don't do a compile time check for PTRACE_O_SUSPEND_SECCOMP, just let ptrace return EINVAL for it; also add a checkskip to skip the seccomp_strict test if PTRACE_O_SUSPEND_SECCOMP or linux/seccomp.h aren't present. v4: use criu check --feature instead of checkskip to check whether the kernel supports seccomp_suspend Reported-by: Mr. Jenkins Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com> Acked-by: Andrew Vagin <avagin@odin.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>	2015-07-13 14:50:35 +03:00

Author

SHA1

Message

Date

Tycho Andersen

cc9587ffc5

seccomp: is optional when parsing /proc/pid/status

Also define some constants for people who don't have them in their headers.

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

2015-11-23 11:44:50 +03:00

Tycho Andersen

221af18ea0

seccomp: add support for SECCOMP_MODE_FILTER

This commit adds basic support for dumping and restoring seccomp filters
via the new ptrace interface. There are two current known limitations with
this approach:

1. This approach doesn't support restoring tasks who first do a seccomp()
   and then a setuid(); the test elaborates on this and I don't think it is
   tough to do, but it is not done yet.

2. Filters are compared via memcmp(), so two tasks which have the same
   parent task and install identical (via memory) filters will have those
   filters considered to be the "same". Since we force all tasks to have
   the same creds (including seccomp filters) right now, this isn't a
   problem.

The approach used here is very similar to the cgroup approach: the actual
filters are stored in a seccomp.img, and each task has an id that points to
the part of the filter tree it needs to restore. This keeps us from dumping
the same filter multiple times, since filters are inherited on fork.

v2:
 * remove unused seccomp_filters field from struct rst_info
 * rework memory layout for passing filters to restorer blob
 * add a sanity check when finding inherited filters

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

2015-11-17 10:51:20 +03:00

Tycho Andersen

209693d49b

don't assume the kernel has CONFIG_SECCOMP

linux/seccomp.h may not be available, and the seccomp mode might not be
listed in /proc/pid/status, so let's not assume those two things are
present.

v2: add a seccomp.h with all the constants we use from linux/seccomp.h
v3: don't do a compile time check for PTRACE_O_SUSPEND_SECCOMP, just let
    ptrace return EINVAL for it; also add a checkskip to skip the
    seccomp_strict test if PTRACE_O_SUSPEND_SECCOMP or linux/seccomp.h
    aren't present.
v4: use criu check --feature instead of checkskip to check whether the
    kernel supports seccomp_suspend

Reported-by: Mr. Jenkins
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Andrew Vagin <avagin@odin.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

2015-07-13 14:50:35 +03:00

3 commits