mirror of
https://github.com/checkpoint-restore/criu.git
synced 2026-01-23 10:16:41 +00:00
b8556e8084
We have collected a good set of calls that cannot be done inside user namespaces, but we need to [1]. Some of them has already being addressed, like prctl mm bits restore, but some are not. I'm pretty sceptical about the ability to relax the security checks on quite a lot of them (e.g. open-by-handle is indeed a very dangerous operation if allowed to unpriviledged user), so we need some way to call those things even in user namespaces. The good news about it its that all the calls I've found operate on file descriptors this way or another. So if we had a process, that lived outside of user namespace, we could ask one to do the high priority operation we need and exchange the affected file descriptor via unix socket. So the usernsd is the one doing exactly this. It starts before we create the user namespace and accepts requests via unix socket. Clients (the processes we restore) send him the functions they want to call, the descriptor they want to operate on and the arguments blob. Optionally, they can request some file descriptor back after the call. In non usernamespace case the daemon is not started and the calls are done right in the requestor's process environment. In the next patch there's an example of how to use this daemon to do the priviledged SO_SNDBUFFORCE/_RCVBUFFORCE sockopt on a socket. [1] http://criu.org/UserNamespace Signed-off-by: Pavel Emelyanov <xemul@parallels.com> Acked-by: Andrew Vagin <avagin@openvz.org>
34 lines
880 B
C
34 lines
880 B
C
#ifndef __CR_SERVICE_FD_H__
|
|
#define __CR_SERVICE_FD_H__
|
|
|
|
#include <stdbool.h>
|
|
|
|
enum sfd_type {
|
|
SERVICE_FD_MIN,
|
|
|
|
LOG_FD_OFF,
|
|
IMG_FD_OFF,
|
|
PROC_FD_OFF, /* fd with /proc for all proc_ calls */
|
|
CTL_TTY_OFF,
|
|
SELF_STDIN_OFF,
|
|
CR_PROC_FD_OFF, /* some other's proc fd.
|
|
* For dump -- target ns' proc
|
|
* For restore -- CRIU ns' proc
|
|
*/
|
|
ROOT_FD_OFF, /* Root of the namespace we dump/restore */
|
|
CGROUP_YARD,
|
|
USERNSD_SK, /* Socket for usernsd */
|
|
|
|
SERVICE_FD_MAX
|
|
};
|
|
|
|
extern int clone_service_fd(int id);
|
|
extern int init_service_fd(void);
|
|
extern int get_service_fd(enum sfd_type type);
|
|
extern int reserve_service_fd(enum sfd_type type);
|
|
extern int install_service_fd(enum sfd_type type, int fd);
|
|
extern int close_service_fd(enum sfd_type type);
|
|
extern bool is_service_fd(int fd, enum sfd_type type);
|
|
extern bool is_any_service_fd(int fd);
|
|
|
|
#endif /* __CR_SERVICE_FD_H__ */
|