[CRIU] [PATCH] zdtm: set the dumpable flag after setuid
Andrew Vagin
avagin at virtuozzo.com
Wed Dec 23 07:23:58 PST 2015
On Wed, Dec 23, 2015 at 07:57:12AM -0700, Tycho Andersen wrote:
> On Tue, Dec 22, 2015 at 07:01:48PM +0300, Andrey Vagin wrote:
> > From: Andrew Vagin <avagin at virtuozzo.com>
> >
> > Otherwise we will not able to access /proc/pid/* for the process.
> >
> > Cc: Tycho Andersen <tycho.andersen at canonical.com>
> > Signed-off-by: Andrew Vagin <avagin at virtuozzo.com>
> > ---
> > test/zdtm/live/static/seccomp_filter.c | 23 ++++++++++++++++++++++-
> > 1 file changed, 22 insertions(+), 1 deletion(-)
> >
> > diff --git a/test/zdtm/live/static/seccomp_filter.c b/test/zdtm/live/static/seccomp_filter.c
> > index b1f13e4..329ac8a 100644
> > --- a/test/zdtm/live/static/seccomp_filter.c
> > +++ b/test/zdtm/live/static/seccomp_filter.c
> > @@ -97,7 +97,7 @@ int main(int argc, char ** argv)
> > if (filter_syscall(__NR_ptrace) < 0)
> > _exit(1);
> >
> > - if (filter_syscall(__NR_prctl) < 0)
> > + if (filter_syscall(__NR_wait4) < 0)
> > _exit(1);
>
> Can we use __NR_setresuid here? The idea is to have a syscall that is
> used in restore_creds, so we can make sure seccomp is actually
> suspended when that is called. Also, I guess this fixes the bug you
> mailed me about?
I've sent a new version. Thank you for this comment. Yes, it fixes this
bug.
>
> Acked-by: Tycho Andersen <tycho.andersen at canonical.com>
>
> > setuid(1000);
> > @@ -115,6 +115,18 @@ int main(int argc, char ** argv)
> > _exit(1);
> > }
> >
> > + prctl(PR_SET_DUMPABLE, 1);
> > +
> > + if (write(sk, &c, 1) != 1) {
> > + pr_perror("write");
> > + _exit(1);
> > + }
> > +
> > + if (read(sk, &c, 1) != 1) {
> > + pr_perror("read");
> > + _exit(1);
> > + }
> > +
> > /* We expect to be killed by our policy above. */
> > ptrace(PTRACE_TRACEME);
> >
> > @@ -132,6 +144,15 @@ int main(int argc, char ** argv)
> > test_daemon();
> > test_waitsig();
> >
> > + if (write(sk, &c, 1) != 1) {
> > + pr_perror("write");
> > + goto err;
> > + }
> > + if ((ret = read(sk, &c, 1)) != 1) {
> > + pr_perror("read %d", ret);
> > + goto err;
> > + }
> > +
> > mode = get_seccomp_mode(pid);
> > if (write(sk, &c, 1) != 1) {
> > pr_perror("write");
> > --
> > 2.4.3
> >
More information about the CRIU
mailing list