mirror of
https://github.com/checkpoint-restore/criu.git
synced 2026-07-17 16:47:50 +00:00
When checkpointing tasks confined by stacked AppArmor profiles inside an AppArmor namespace, CRIU compiles a permissive parasite profile using apparmor_parser and writes it to the namespace policy replacement interface (/sys/kernel/security/apparmor/policy/namespaces/<ns>/.replace). Previously, get_suspend_policy() invoked apparmor_parser with flags (-QWL) requesting cache file generation and read the resulting cache file. On modern AppArmor 4.x kernels, cache files include cache metadata headers that cause the kernel policy unpacker to reject the binary blob with EPROTONOSUPPORT (-93, "invalid profile format"). Replace the cache mechanism by invoking apparmor_parser with the -o flag to output a clean binary policy stream directly. Furthermore, when writing a replacement profile blob to an AppArmor .replace interface, successful writes return the total size of the profile load data structure consumed or updated in the kernel (e.g., 5233 bytes for stacked profiles), rather than the exact byte length of the input payload (e.g., 727 bytes for a parasite profile). Checking if (n != len) erroneously treats a successful replacement write as a failure. Fix policy write validation to check if (n < 0). Across Linux kernel versions, AppArmor enforces different requirements for policy replacement blobs written to a namespace .replace interface: - Older kernels (AppArmor 3.x / early 4.x on Ubuntu 22.04) expect blobs compiled without namespace headers (-n <ns>); specifying -n causes the kernel to load the replacement into a nested sub-namespace (<ns>//<ns>), leaving the active profile unchanged and causing socket permission failures during dump. - Modern kernels (AppArmor 4.x on Ubuntu 26.04) reject blobs compiled without namespace headers with EPROTONOSUPPORT (-93, "invalid profile format"). Update get_suspend_policy() and write_aa_policy() to implement runtime fallback: first try compiling without -n <ns> and writing directly to the namespace interface for older kernels. If writing fails (n < 0), retry compilation passing -n <ns> and write to the root interface to satisfy modern kernels. In addition, when restoring tasks confined by profiles inside an AppArmor namespace on AppArmor 4.x kernels, the host root unconfined profile remains stacked with the target namespace profile when viewed from the root namespace (e.g., "unconfined//&:ns:profile"). Update checkprofile() in the apparmor_stacking test to recognize and allow the "unconfined//&" prefix when verifying restored profiles. Assisted-by: Gemini Signed-off-by: Andrei Vagin <avagin@google.com> |
||
|---|---|---|
| .. | ||
| compel | ||
| cuda-checkpoint | ||
| exhaustive | ||
| inhfd | ||
| javaTests | ||
| jenkins | ||
| libfault | ||
| others | ||
| pki | ||
| plugins | ||
| zdtm | ||
| .gitignore | ||
| abrt.sh | ||
| crit-recode.py | ||
| empty-netns-prep.sh | ||
| groups.desc | ||
| inhfd.desc | ||
| Makefile | ||
| pycriu | ||
| umount2.c | ||
| zdtm.desc | ||
| zdtm.py | ||
| zdtm_ct.c | ||
| zdtm_mount_cgroups | ||
| zdtm_umount_cgroups | ||