[CRIU] [PATCH 2/2] security: restrict criu with groups

Ruslan Kuprieiev kupruser at gmail.com
Fri Jul 4 07:26:52 PDT 2014


On 04.07.2014 17:23, Pavel Emelyanov wrote:
> On 07/04/2014 06:20 PM, Ruslan Kuprieiev wrote:
>> On 04.07.2014 17:10, Pavel Emelyanov wrote:
>>>> @@ -62,13 +134,13 @@ static bool check_caps(u32 *inh, u32 *eff, u32 *prm)
>>>>    bool may_dump(struct proc_status_creds *creds)
>>>>    {
>>>>    	return check_ids(cr_uid, creds->uids[0], creds->uids[1], creds->uids[2]) &&
>>>> -		check_ids(cr_gid, creds->gids[0], creds->gids[1], creds->gids[2]) &&
>>>> +		check_gids(creds->gids[0], creds->gids[1], creds->gids[2], creds->groups, creds->ngroups) &&
>>> Getting groups on dump from proc file is not right. First of all, proc shows
>>> only first 32 groups. And to address that, we get groups out of parasite code,
>>> so they are ready some time during the dump.
>> Oh, I didn't know that.
>> Will use getgrouplist.
> getgrouplist on dump is also not good. You should use the groups
> obtained from the task.

Could you tell me why it is not good, please?

>
>> Thanks.
>>
>>>>    		check_caps(creds->cap_inh, creds->cap_eff, creds->cap_prm);
>>>>    }
>>>>    
>>>>    bool may_restore(CredsEntry *creds)
>>>>    {
>>>>    	return check_ids(cr_uid, creds->uid, creds->euid, creds->suid) &&
>>>> -		check_ids(cr_gid, creds->gid, creds->egid, creds->sgid) &&
>>>> +		check_gids(creds->gid, creds->egid, creds->sgid, creds->groups, creds->n_groups) &&
>>>>    		check_caps(creds->cap_inh, creds->cap_eff, creds->cap_prm);
>>>>    }
>>>>
>> .
>>



More information about the CRIU mailing list