[CRIU] Re: [PATCH] proc: don't show nonexistent capabilities

Cyrill Gorcunov gorcunov at openvz.org
Mon Oct 1 05:10:43 EDT 2012


On Mon, Oct 01, 2012 at 12:21:07PM +0400, Andrew Vagin wrote:
> Without this patch it is really hard to interpret a bounding set,
> if CAP_LAST_CAP is unknown for a current kernel.
> 
> Non-existant capabilities can not be deleted from a bounding set
> with help of prctl.
> 
> E.g.: Here are two examples without/with this patch.
> CapBnd:	ffffffe0fdecffff
> CapBnd:	00000000fdecffff
> 
> I suggest to hide non-existent capabilities. Here is two reasons.
> * It's logically and easier for using.
> * It helps to checkpoint-restore capabilities of tasks, because tasks
> can be restored on another kernel, where CAP_LAST_CAP is bigger.

This seems to me really dangerous. The caps may be set on newer kernel where
CAP_LAST_CAP < CAP_LAST_CAP from old kernel (suppose you've set all caps
on vfs while you've been on new kernel), then you reboot into older kernel
and if I've not missed something cap_bprm_set_creds may fail.


More information about the CRIU mailing list