[CRIU] [PATCH 2/2] lsm: restore lsm bits per tid instead of per pid

Tycho Andersen tycho.andersen at canonical.com
Thu Jun 11 10:52:17 PDT 2015 

On Thu, Jun 11, 2015 at 07:57:27PM +0300, Pavel Emelyanov wrote:
> > @@ -154,9 +154,12 @@ struct task_restore_args {
> >  	pid_t				*helpers /* the TASK_HELPERS to wait on at the end of restore */;
> >  	int				n_helpers;
> >  
> > -	int				proc_attr_current;
> > -	char				*lsm_profile;
> > -	int				lsm_profile_len;
> > +	/*
> > +	 * proc_fd is a handle to /proc that the restorer blob can use to open
> > +	 * files there, because some of them can't be opened before the
> > +	 * restorer blob is called.
> > +	 */
> > +	int				proc_fd;
> 
> We already have the fd for /proc/sys/kernel/ns_last_pid file. I think it's worth
> just having one fd for /proc and tune the threads forking code to use one.

Isn't this just an ft for /proc/sys/kernel/ns_last_pid, though, not
/proc? I could switch that code to use this fd, if you like, though.

> >  #ifdef CONFIG_VDSO
> >  	unsigned long			vdso_rt_size;
> > diff --git a/pie/restorer.c b/pie/restorer.c
> > index 8713c6a..e4a19dc 100644
> > --- a/pie/restorer.c
> > +++ b/pie/restorer.c
> > @@ -95,7 +95,59 @@ static void sigchld_handler(int signal, siginfo_t *siginfo, void *data)
> >  	sys_exit_group(1);
> >  }
> >  
> > -static int restore_creds(CredsEntry *ce)
> > +static void pie_strcat(char *dest, char *src)
> > +{
> > +	char *p;
> > +	int off;
> > +
> > +	for (p = dest; *p; p++)
> > +		;
> > +
> > +	off = p - dest;
> > +
> > +	for (p = src; *p; p++)
> > +		dest[off + p - src] = *p;
> > +
> > +	dest[off + p - src] = 0;
> > +}
> > +
> > +static int lsm_set_label(char *label, int procfd)
> > +{
> > +	int ret = -1, len, lsmfd;
> > +	char path[80] = "self/task/", num[12], *n;
> > +
> > +	if (!label)
> > +		return 0;
> > +
> > +	pr_info("restoring lsm profile %s\n", label);
> > +
> > +	num[sizeof(num) - 1] = 0;
> > +	len = vprint_num(num, sizeof(num) - 1, sys_gettid(), &n);
> > +	pie_strcat(path, n);
> > +
> > +	pie_strcat(path, "/attr/current");
> 
> Can you tune the pie/log_simple.c's print_on_level() routine to allow for
> sprint() behavior? It has all the required format parsing and will let us
> get rid of many char[]-s and strcats :)

So I tried this first, but the sbuf_flush() call (and associated
logic) in sbuf_putc() makes it so that a lot more code would have to
change in order to do this. I can take another whack at it if you'd
like, but it's going to be a pretty big patch based on my previous
attempt.

Tycho

More information about the CRIU mailing list