[CRIU] [PATCH] security: check_ids - return true if [se]?[ug]id is the same as task id

Pavel Emelyanov xemul at parallels.com
Tue May 27 12:36:15 PDT 2014


On 05/23/2014 01:33 PM, Pavel Emelyanov wrote:
> On 05/19/2014 06:17 PM, Ruslan Kuprieiev wrote:
>> On 17.05.2014 12:00, Andrew Vagin wrote:
>>> On Fri, May 16, 2014 at 05:54:55PM +0300, Ruslan Kuprieiev wrote:
>>>> Currently there are typos in check_ids, so one can't pass this check,
>>>> unless (u/g)id == e(g/u)id == s(g/u)id == task_(g/u)id.
>>
>> OMG, I mixed task and caller id's in this description!
> 
> The checks you're fixing prevent from creating images with "bad"
> code and restore them into siud-ed process. What problem are we
> trying to resolve? If I get it right it is -- task executes a
> suid-ed binary belonging to some other user, then we checkpoint
> it, then try to restore and fail. Is that correct?

Ruslan?


More information about the CRIU mailing list