[CRIU] [PATCH] restore: handle errors of setting credentials

[Andrey Vagin]

Signed-off-by: Andrey Vagin <avagin at openvz.org>
---
 cr-restore.c       | 12 ++++++++++++
 include/restorer.h |  1 +
 pie/restorer.c     | 12 +++++++++---
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/cr-restore.c b/cr-restore.c
index f1cb706..d9f074b 100644
--- a/cr-restore.c
+++ b/cr-restore.c
@@ -56,6 +56,7 @@
 #include "cpu.h"
 #include "file-lock.h"
 #include "page-read.h"
+#include "sysctl.h"
 
 #include "protobuf.h"
 #include "protobuf/sa.pb-c.h"
@@ -1464,6 +1465,17 @@ static int prepare_creds(int pid, struct task_restore_core_args *args)
 	int fd, ret;
 	CredsEntry *ce;
 
+	struct sysctl_req req[] = {
+		{ "kernel/cap_last_cap", &args->cap_last_cap, CTL_U32 },
+		{ },
+	};
+
+	ret = sysctl_op(req, CTL_READ);
+	if (ret < 0) {
+		pr_err("Failed to read max IPC message size\n");
+		return -1;
+	}
+
 	fd = open_image(CR_FD_CREDS, O_RSTR, pid);
 	if (fd < 0)
 		return fd;
diff --git a/include/restorer.h b/include/restorer.h
index ef19d64..6a9da84 100644
--- a/include/restorer.h
+++ b/include/restorer.h
@@ -120,6 +120,7 @@ struct task_restore_core_args {
 	uint32_t			cap_prm[CR_CAP_SIZE];
 	uint32_t			cap_eff[CR_CAP_SIZE];
 	uint32_t			cap_bnd[CR_CAP_SIZE];
+	uint32_t			cap_last_cap;
 
 	MmEntry				mm;
 	auxv_t				mm_saved_auxv[AT_VECTOR_SIZE];
diff --git a/pie/restorer.c b/pie/restorer.c
index 4feea0c..943cf55 100644
--- a/pie/restorer.c
+++ b/pie/restorer.c
@@ -40,6 +40,7 @@
 static struct task_entries *task_entries;
 static futex_t thread_inprogress;
 static futex_t zombies_inprogress;
+static int cap_last_cap;
 
 extern void cr_restore_rt (void) asm ("__cr_restore_rt")
 			__attribute__ ((visibility ("hidden")));
@@ -116,11 +117,13 @@ static void restore_creds(CredsEntry *ce)
 
 	for (b = 0; b < CR_CAP_SIZE; b++) {
 		for (i = 0; i < 32; i++) {
+			if (b * 32 + i > cap_last_cap)
+				break;
 			if (ce->cap_bnd[b] & (1 << i))
 				/* already set */
 				continue;
-
-			sys_prctl(PR_CAPBSET_DROP, i + b * 32, 0, 0, 0);
+			if (sys_prctl(PR_CAPBSET_DROP, i + b * 32, 0, 0, 0))
+				BUG();
 		}
 	}
 
@@ -140,7 +143,8 @@ static void restore_creds(CredsEntry *ce)
 		data[i].inh = ce->cap_inh[i];
 	}
 
-	sys_capset(&hdr, data);
+	if (sys_capset(&hdr, data))
+		BUG();
 }
 
 static void restore_sched_info(struct rst_sched_param *p)
@@ -466,6 +470,8 @@ long __export_restore_task(struct task_restore_core_args *args)
 	log_set_fd(args->logfd);
 	log_set_loglevel(args->loglevel);
 
+	cap_last_cap = args->cap_last_cap;
+
 	pr_info("Switched to the restorer %d\n", my_pid);
 
 	for (vma_entry = args->self_vmas; vma_entry->start != 0; vma_entry++) {
-- 
1.8.2