[CRIU] [PATCH 3/4] pie: move seccomp before creds to avoid resoring them after setuid

[Tycho Andersen]

Note that this doesn't actually fix the problem, because seccomp could
block the setuid call, and since we're now restoring when the task isn't
ptraced and in SECCOMP_SUSPEND mode, we can't guarantee that the seccomp
filters won't be suspended.

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
 pie/restorer.c | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/pie/restorer.c b/pie/restorer.c
index 4665c5d..80a59a9 100644
--- a/pie/restorer.c
+++ b/pie/restorer.c
@@ -1256,25 +1256,23 @@ long __export_restore_task(struct task_restore_args *args)
 
 	rst_tcp_socks_all(args);
 
+	/* The kernel restricts setting seccomp to uid 0 in the current user
+	 * ns, so we must do this before restore_creds.
+	 */
+	pr_info("restoring seccomp mode %d for %ld\n", args->seccomp_mode, sys_getpid());
+	restore_seccomp(args);
+
 	/*
 	 * Writing to last-pid is CAP_SYS_ADMIN protected,
 	 * turning off TCP repair is CAP_SYS_NED_ADMIN protected,
 	 * thus restore* creds _after_ all of the above.
 	 */
-
 	ret = restore_creds(&args->creds, args->proc_fd);
 	ret = ret || restore_dumpable_flag(&args->mm);
 	ret = ret || restore_pdeath_sig(args->t);
 
 	futex_set_and_wake(&thread_inprogress, args->nr_threads);
 
-	/*
-	 * We have to close the log before restoring seccomp, because
-	 * SECCOMP_MODE_STRICT blocks close().
-	 */
-	if (args->seccomp_mode != SECCOMP_MODE_DISABLED)
-		pr_info("restoring seccomp mode %d for %ld\n", args->seccomp_mode, sys_getpid());
-
 	restore_finish_stage(CR_STATE_RESTORE_CREDS);
 
 	if (ret)
@@ -1304,8 +1302,6 @@ long __export_restore_task(struct task_restore_args *args)
 
 	restore_posix_timers(args);
 
-	restore_seccomp(args);
-
 	sys_munmap(args->rst_mem, args->rst_mem_size);
 
 	/*
-- 
2.5.0