[CRIU] User namespaces

[Aditya Kali]

Hi,

I tried to add some basic userns support to CRIU. Currently, I create
a new user namespace and only restore the entries in uid_map and
gid_map files for the INIT process. But, in order to make it all work,
I had to patch the kernel to relax prctl_set_mm() permission check to
within the user-namespace (instead of global).

index 0da73cf..d49b32b 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1865,7 +1865,7 @@ static int prctl_set_mm(int opt, unsigned long addr,
        if (arg5 || (arg4 && opt != PR_SET_MM_AUXV))
                return -EINVAL;

-       if (!capable(CAP_SYS_RESOURCE))
+       if (!nsown_capable(CAP_SYS_RESOURCE))
                return -EPERM;

        if (opt == PR_SET_MM_EXE_FILE)


To me, this seems OK since the process is modifying only its own
memory. But I am not a security expert and don't know if this has any
other consequences. I tried to dig up original references to this
code:
  http://lkml.indiana.edu/hypermail/linux/kernel/1112.1/01750.html
  http://thread.gmane.org/gmane.linux.kernel/1263470
but none of them talk about user namespaces.

What do you guys think about this change? Do you think this is the
right way to go and should be upstream? If not, is there an
alternative to this approach?

Thanks,

On Fri, Jun 21, 2013 at 1:29 PM, Zhengyu He <hzy at google.com> wrote:
> Great. Thanks.
>
>
> On Fri, Jun 21, 2013 at 1:24 PM, Andrew Vagin <avagin at parallels.com> wrote:
>>
>> On Fri, Jun 21, 2013 at 12:08:40PM -0700, Zhengyu He wrote:
>> > Hi there,
>> >
>> > We find criu doesn't support user namespace so far. Is there any obvious
>> > obstacle to support it?
>>
>> There is nothing obvious. You can try to do that. If you will have any
>> question, ask it here, we will try to help you.
>>
>> Thanks,
>> Andrey
>>
>> >
>> > Thanks,
>> > Zhengyu
>>
>> > _______________________________________________
>> > CRIU mailing list
>> > CRIU at openvz.org
>> > https://lists.openvz.org/mailman/listinfo/criu
>>
>



-- 

Aditya