[CRIU] restoring apparmor/selinux profiles
Tycho Andersen
tycho.andersen at canonical.com
Thu Oct 23 10:49:27 PDT 2014
On Thu, Oct 23, 2014 at 09:41:37PM +0400, Pavel Emelyanov wrote:
> On 10/23/2014 09:18 PM, Tycho Andersen wrote:
> > Hi all,
> >
> > Another thing that we need to do in order to migrate containers is to
> > restore any apparmor/selinux profiles. I've been looking into this,
> > and it seems that we should do this at the end of the restorer blob,
> > since the syscalls in the restorer blob might be blocked by the
> > profile we're restoring.
> >
> > What's the best way of calling code like this? I could statically link
> > the whole thing into the restorer blob, but that doesn't seem ideal.
>
> Right now it's the only way to go. The restorer blob is like parasite -- it's
> statically linked PIE code. If we want to use libraries in either of them,
> this is theoretically possible, but would required non-trivial modification
> of criu, since it would have to do tasks typically done by ld.
Ok, sounds good. I definitely don't want to be messing around with
whatever black magic ld does :)
> > Should I just pass a function pointer from the "regular" criu code? Is
> > there some other option?
>
> This won't work too :) All the "regular" criu code gets unmapped at the
> beginning of restorer execution. This is what we created it for :)
Ah, yeah, I was worried about something like that. Thanks for the
reply!
Tycho
> Thanks,
> Pavel
>
>
More information about the CRIU
mailing list