[CRIU] [PATCH 2/2] lsm: restore lsm bits per tid instead of per pid

Pavel Emelyanov xemul at parallels.com
Thu Jun 11 09:57:27 PDT 2015 

> @@ -154,9 +154,12 @@ struct task_restore_args {
>  	pid_t				*helpers /* the TASK_HELPERS to wait on at the end of restore */;
>  	int				n_helpers;
>  
> -	int				proc_attr_current;
> -	char				*lsm_profile;
> -	int				lsm_profile_len;
> +	/*
> +	 * proc_fd is a handle to /proc that the restorer blob can use to open
> +	 * files there, because some of them can't be opened before the
> +	 * restorer blob is called.
> +	 */
> +	int				proc_fd;

We already have the fd for /proc/sys/kernel/ns_last_pid file. I think it's worth
just having one fd for /proc and tune the threads forking code to use one.

>  #ifdef CONFIG_VDSO
>  	unsigned long			vdso_rt_size;
> diff --git a/pie/restorer.c b/pie/restorer.c
> index 8713c6a..e4a19dc 100644
> --- a/pie/restorer.c
> +++ b/pie/restorer.c
> @@ -95,7 +95,59 @@ static void sigchld_handler(int signal, siginfo_t *siginfo, void *data)
>  	sys_exit_group(1);
>  }
>  
> -static int restore_creds(CredsEntry *ce)
> +static void pie_strcat(char *dest, char *src)
> +{
> +	char *p;
> +	int off;
> +
> +	for (p = dest; *p; p++)
> +		;
> +
> +	off = p - dest;
> +
> +	for (p = src; *p; p++)
> +		dest[off + p - src] = *p;
> +
> +	dest[off + p - src] = 0;
> +}
> +
> +static int lsm_set_label(char *label, int procfd)
> +{
> +	int ret = -1, len, lsmfd;
> +	char path[80] = "self/task/", num[12], *n;
> +
> +	if (!label)
> +		return 0;
> +
> +	pr_info("restoring lsm profile %s\n", label);
> +
> +	num[sizeof(num) - 1] = 0;
> +	len = vprint_num(num, sizeof(num) - 1, sys_gettid(), &n);
> +	pie_strcat(path, n);
> +
> +	pie_strcat(path, "/attr/current");

Can you tune the pie/log_simple.c's print_on_level() routine to allow for
sprint() behavior? It has all the required format parsing and will let us
get rid of many char[]-s and strcats :)

> +	lsmfd = sys_openat(procfd, path, O_WRONLY, 0);
> +	sys_close(procfd);
> +	if (lsmfd < 0) {
> +		pr_err("failed openat %d\n", lsmfd);
> +		return -1;
> +	}
> +
> +	for (len = 0; label[len]; len++)
> +		;
> +
> +	ret = sys_write(lsmfd, label, len);
> +	sys_close(lsmfd);
> +	if (ret < 0) {
> +		pr_err("can't write lsm profile %d\n", ret);
> +		return -1;
> +	}
> +
> +	return 0;
> +}
> +

-- Pavel

More information about the CRIU mailing list