[CRIU] Checkpoint/restore as non-root user

Andrew Vagin avagin at parallels.com
Tue Oct 28 03:41:08 PDT 2014 

On Fri, Oct 17, 2014 at 03:56:07PM +0400, Pavel Emelyanov wrote:
> On 10/16/2014 04:48 PM, Filipe Brandenburger wrote:
> > Hi Pavel,
> > 
> > Following up on it, the idea here is to see how much we could do in criu to dump/restore
> > an image without requiring (real) root privileges.
> > 
> > So, one point you raised was that to set the pid we need root, but maybe we could do that
> > inside a user namespace and maybe patch the kernel to allow userns root to set the pids 
> > inside the pidns?
> 
> I was thinking about it. The thing is that switching something in kernel from capable()
> to ns_capable() effectively means allowing thing for everyone :) I think that kernel guys
> would ask to make this ns_capable() check be per-pid-namespace, so that a user that
> wants to create tasks with given PIDs only affects his the PID namespace that was created
> after the user-ns.

static int pid_ns_ctl_handler(struct ctl_table *table, int write,
                void __user *buffer, size_t *lenp, loff_t *ppos)
...
        if (write && !ns_capable(pid_ns->user_ns, CAP_SYS_ADMIN))
                return -EPERM;
...

We already can set ns_last_pid is in user namespaces.

> 
> > You mentioned the concern of the user modifying an image on disk and restoring it, but in
> > a sense that's akin to attaching gdb to a process and modifying its memory and that's already
> > possible without root, right?
> 
> Almost. There are bits in creds.img files with UIDs, GIDs and capabilities. Restoring those
> in the arbitrary state should not be allowed, but IIRC we have addressed this in security
> checks. So yes, it should be OK.
> 
> > Do you think it would be a good feature to exploit? Even if we can't support everything (e.g.
> > ttys) I think it would be useful in many cases.
> 
> Yes, I was asked some time ago can we make CRIU not root-only, so this definitely would
> be a useful feature.

You need to apply patches from Cyrill about using the new prctl interface.

Here are problems which you will have on restore.
http://criu.org/UserNamespace

It's interesting to know problems on dump.

Thanks.

> 
> Thanks,
> Pavel
> 
> 
> _______________________________________________
> CRIU mailing list
> CRIU at openvz.org
> https://lists.openvz.org/mailman/listinfo/criu

More information about the CRIU mailing list