[CRIU] restoring apparmor/selinux profiles

Pavel Emelyanov xemul at parallels.com
Thu Oct 23 10:41:37 PDT 2014


On 10/23/2014 09:18 PM, Tycho Andersen wrote:
> Hi all,
> 
> Another thing that we need to do in order to migrate containers is to
> restore any apparmor/selinux profiles. I've been looking into this,
> and it seems that we should do this at the end of the restorer blob,
> since the syscalls in the restorer blob might be blocked by the
> profile we're restoring.
> 
> What's the best way of calling code like this? I could statically link
> the whole thing into the restorer blob, but that doesn't seem ideal.

Right now it's the only way to go. The restorer blob is like parasite -- it's
statically linked PIE code. If we want to use libraries in either of them,
this is theoretically possible, but would required non-trivial modification
of criu, since it would have to do tasks typically done by ld.

> Should I just pass a function pointer from the "regular" criu code? Is
> there some other option?

This won't work too :) All the "regular" criu code gets unmapped at the
beginning of restorer execution. This is what we created it for :)

Thanks,
Pavel




More information about the CRIU mailing list