[CRIU] RPC support for --shell-job missing on restore

Andrew Vagin avagin at parallels.com
Fri May 16 06:28:27 PDT 2014 

On Fri, May 16, 2014 at 08:33:41AM -0400, Christopher Covington wrote:
> Hi Allan,
> 
> On 05/16/2014 03:44 AM, Allan Cecil wrote:
> > On 2014-05-15 06:59, Pavel Emelyanov wrote:
> >> I'd like to notice here, that right now this is only possible if you
> >> terminate the whole existing process and
> >> restore one back from scratch using criu. However, we have a feature
> >> called "applying images" (http://criu.org/Applying_images)
> >> With it you will not have to kill the original process and the
> >> revert-back should become MUCH faster.
> > 
> > Applying images sounds very interesting - how do I do that?  I don't see it in
> > the man page.  I've built from source so I can update or switch branches as
> > needed.
> > 
> >> You might b einterested in the --exec-cmd option for criu. It causes
> >> criu to call execv() on whatever you want after
> >> restore thus making _your_ code control the restored processes.
> > 
> > I haven't figured out how to make this work, yet.  I'll keep experimenting.  I
> > thought it was for saying "restore this into this screen session" but that did
> > not work.
> > 
> >>> that would still work.  Unfortunately, even if I set the suid bit and
> >>> attempt to restore from the command line I still get denied
> >>> bgecause the UID / GID doesn't match.
> >>
> >> Can you shed more light on this? We tried to make it work like -- if
> >> we have images for user X, then if we restore from
> >> them from suid-ed criu and the user that does so is X as well, then we
> >> allow for that. Has that get broken?
> >>
> > 
> > Here are the exact steps I'm taking.  First, I'm running as the unprivileged
> > user named tas:
> > $ id
> > uid=1001(tas) gid=1001(tas) groups=1001(tas),110(kvm),119(nopasswdlogin)
> > 
> > I start screen and inside of screen I start nethack.  This produces the
> > following ps axf -o pid,sid,pgid,uid,gid,comm output:
> > 
> >  9002  9002  9002  1001    43 screen
> >  9003  9003  9003  1001  1001  \_ bash
> >  9165  9003  9165  1001  1001      \_ nethack
> > 
> > If outside of screen I attempt to issue the command criu dump -v4 -t 9002 as
> > the same tas user I get this:
> > 
> > (00.014062) Obtaining task stat ... (00.014126) Error (security.c:34): UID/GID
> > mismatch 1001 != (1001,43,43)
> 
> It looks like the session ID isn't matching.

I have reproduce this bug on my host.

(00.012437) Obtaining task stat ... (00.012592) Error (security.c:34): UID/GID mismatch 1000 != (1000,20,20)

[avagin at localhost criu]$ ps -C nethack
  PID TTY          TIME CMD
10962 pts/2    00:00:00 nethack
[avagin at localhost criu]$ cat /proc/10962/status | grep Gid
Gid:	1000	20	20	20

[avagin at localhost zzz]$ cat /etc/group | grep 20
games:x:20:

Add Ruslan Kuprieiev in CC. He is the main security specialist in CRIU;)

> 
> > (00.014137) Error (cr-dump.c:1438): Check uid (pid: 9002) failed
> > 
> > For the record, the criu process has the stuid bit set:
> > 
> > -rwsr-xr-x 1 root root 779899 Apr 25 14:39 /usr/local/sbin/criu
> > 
> > I'm not sure what to make of this.  Thanks for your thoughts,
> 
> Can you try `criu dump` of `setsid nethack` instead of `criu dump -j` of
> `nethack`.
> 
> Regards,
> Christopher
> 
> -- 
> Employee of Qualcomm Innovation Center, Inc.
> Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
> hosted by the Linux Foundation.

More information about the CRIU mailing list