[CRIU] [PATCH] restore: handle errors of setting credentials

Tue Apr 23 03:36:48 EDT 2013

On 04/18/2013 02:22 PM, Andrey Vagin wrote:

You don't handle errors from setXids and securebits manipulations.

> Signed-off-by: Andrey Vagin <avagin at openvz.org>
> ---
>  cr-restore.c       | 12 ++++++++++++
>  include/restorer.h |  1 +
>  pie/restorer.c     | 12 +++++++++---
>  3 files changed, 22 insertions(+), 3 deletions(-)
> 
> diff --git a/cr-restore.c b/cr-restore.c
> index f1cb706..d9f074b 100644
> --- a/cr-restore.c
> +++ b/cr-restore.c
> @@ -56,6 +56,7 @@
>  #include "cpu.h"
>  #include "file-lock.h"
>  #include "page-read.h"
> +#include "sysctl.h"
>  
>  #include "protobuf.h"
>  #include "protobuf/sa.pb-c.h"
> @@ -1464,6 +1465,17 @@ static int prepare_creds(int pid, struct task_restore_core_args *args)
>  	int fd, ret;
>  	CredsEntry *ce;
>  
> +	struct sysctl_req req[] = {
> +		{ "kernel/cap_last_cap", &args->cap_last_cap, CTL_U32 },
> +		{ },
> +	};
> +
> +	ret = sysctl_op(req, CTL_READ);
> +	if (ret < 0) {
> +		pr_err("Failed to read max IPC message size\n");
> +		return -1;
> +	}
> +
>  	fd = open_image(CR_FD_CREDS, O_RSTR, pid);
>  	if (fd < 0)
>  		return fd;
> diff --git a/include/restorer.h b/include/restorer.h
> index ef19d64..6a9da84 100644
> --- a/include/restorer.h
> +++ b/include/restorer.h
> @@ -120,6 +120,7 @@ struct task_restore_core_args {
>  	uint32_t			cap_prm[CR_CAP_SIZE];
>  	uint32_t			cap_eff[CR_CAP_SIZE];
>  	uint32_t			cap_bnd[CR_CAP_SIZE];
> +	uint32_t			cap_last_cap;
>  
>  	MmEntry				mm;
>  	auxv_t				mm_saved_auxv[AT_VECTOR_SIZE];
> diff --git a/pie/restorer.c b/pie/restorer.c
> index 4feea0c..943cf55 100644
> --- a/pie/restorer.c
> +++ b/pie/restorer.c
> @@ -40,6 +40,7 @@
>  static struct task_entries *task_entries;
>  static futex_t thread_inprogress;
>  static futex_t zombies_inprogress;
> +static int cap_last_cap;
>  
>  extern void cr_restore_rt (void) asm ("__cr_restore_rt")
>  			__attribute__ ((visibility ("hidden")));
> @@ -116,11 +117,13 @@ static void restore_creds(CredsEntry *ce)
>  
>  	for (b = 0; b < CR_CAP_SIZE; b++) {
>  		for (i = 0; i < 32; i++) {
> +			if (b * 32 + i > cap_last_cap)
> +				break;
>  			if (ce->cap_bnd[b] & (1 << i))
>  				/* already set */
>  				continue;
> -
> -			sys_prctl(PR_CAPBSET_DROP, i + b * 32, 0, 0, 0);
> +			if (sys_prctl(PR_CAPBSET_DROP, i + b * 32, 0, 0, 0))
> +				BUG();
>  		}
>  	}
>  
> @@ -140,7 +143,8 @@ static void restore_creds(CredsEntry *ce)
>  		data[i].inh = ce->cap_inh[i];
>  	}
>  
> -	sys_capset(&hdr, data);
> +	if (sys_capset(&hdr, data))
> +		BUG();
>  }
>  
>  static void restore_sched_info(struct rst_sched_param *p)
> @@ -466,6 +470,8 @@ long __export_restore_task(struct task_restore_core_args *args)
>  	log_set_fd(args->logfd);
>  	log_set_loglevel(args->loglevel);
>  
> +	cap_last_cap = args->cap_last_cap;
> +
>  	pr_info("Switched to the restorer %d\n", my_pid);
>  
>  	for (vma_entry = args->self_vmas; vma_entry->start != 0; vma_entry++) {
> 