[CRIU] [PATCH 2/2] security: restrict criu with groups

Pavel Emelyanov xemul at parallels.com
Fri Jul 4 07:10:46 PDT 2014


> @@ -62,13 +134,13 @@ static bool check_caps(u32 *inh, u32 *eff, u32 *prm)
>  bool may_dump(struct proc_status_creds *creds)
>  {
>  	return check_ids(cr_uid, creds->uids[0], creds->uids[1], creds->uids[2]) &&
> -		check_ids(cr_gid, creds->gids[0], creds->gids[1], creds->gids[2]) &&
> +		check_gids(creds->gids[0], creds->gids[1], creds->gids[2], creds->groups, creds->ngroups) &&

Getting groups on dump from proc file is not right. First of all, proc shows
only first 32 groups. And to address that, we get groups out of parasite code,
so they are ready some time during the dump.

>  		check_caps(creds->cap_inh, creds->cap_eff, creds->cap_prm);
>  }
>  
>  bool may_restore(CredsEntry *creds)
>  {
>  	return check_ids(cr_uid, creds->uid, creds->euid, creds->suid) &&
> -		check_ids(cr_gid, creds->gid, creds->egid, creds->sgid) &&
> +		check_gids(creds->gid, creds->egid, creds->sgid, creds->groups, creds->n_groups) &&
>  		check_caps(creds->cap_inh, creds->cap_eff, creds->cap_prm);
>  }
> 



More information about the CRIU mailing list