[CRIU] [PATCH] zdtm: set the dumpable flag after setuid

Andrew Vagin avagin at virtuozzo.com
Wed Dec 23 07:23:58 PST 2015 

On Wed, Dec 23, 2015 at 07:57:12AM -0700, Tycho Andersen wrote:
> On Tue, Dec 22, 2015 at 07:01:48PM +0300, Andrey Vagin wrote:
> > From: Andrew Vagin <avagin at virtuozzo.com>
> > 
> > Otherwise we will not able to access /proc/pid/* for the process.
> > 
> > Cc: Tycho Andersen <tycho.andersen at canonical.com>
> > Signed-off-by: Andrew Vagin <avagin at virtuozzo.com>
> > ---
> >  test/zdtm/live/static/seccomp_filter.c | 23 ++++++++++++++++++++++-
> >  1 file changed, 22 insertions(+), 1 deletion(-)
> > 
> > diff --git a/test/zdtm/live/static/seccomp_filter.c b/test/zdtm/live/static/seccomp_filter.c
> > index b1f13e4..329ac8a 100644
> > --- a/test/zdtm/live/static/seccomp_filter.c
> > +++ b/test/zdtm/live/static/seccomp_filter.c
> > @@ -97,7 +97,7 @@ int main(int argc, char ** argv)
> >  		if (filter_syscall(__NR_ptrace) < 0)
> >  			_exit(1);
> >  
> > -		if (filter_syscall(__NR_prctl) < 0)
> > +		if (filter_syscall(__NR_wait4) < 0)
> >  			_exit(1);
> 
> Can we use __NR_setresuid here? The idea is to have a syscall that is
> used in restore_creds, so we can make sure seccomp is actually
> suspended when that is called. Also, I guess this fixes the bug you
> mailed me about?

I've sent a new version. Thank you for this comment. Yes, it fixes this
bug.

> 
> Acked-by: Tycho Andersen <tycho.andersen at canonical.com>
> 
> >  		setuid(1000);
> > @@ -115,6 +115,18 @@ int main(int argc, char ** argv)
> >  			_exit(1);
> >  		}
> >  
> > +		prctl(PR_SET_DUMPABLE, 1);
> > +
> > +		if (write(sk, &c, 1) != 1) {
> > +			pr_perror("write");
> > +			_exit(1);
> > +		}
> > +
> > +		if (read(sk, &c, 1) != 1) {
> > +			pr_perror("read");
> > +			_exit(1);
> > +		}
> > +
> >  		/* We expect to be killed by our policy above. */
> >  		ptrace(PTRACE_TRACEME);
> >  
> > @@ -132,6 +144,15 @@ int main(int argc, char ** argv)
> >  	test_daemon();
> >  	test_waitsig();
> >  
> > +	if (write(sk, &c, 1) != 1) {
> > +		pr_perror("write");
> > +		goto err;
> > +	}
> > +	if ((ret = read(sk, &c, 1)) != 1) {
> > +		pr_perror("read %d", ret);
> > +		goto err;
> > +	}
> > +
> >  	mode = get_seccomp_mode(pid);
> >  	if (write(sk, &c, 1) != 1) {
> >  		pr_perror("write");
> > -- 
> > 2.4.3
> >

More information about the CRIU mailing list