[CRIU] [PATCH 2/2] lsm: restore lsm bits per tid instead of per pid

Thu Jun 11 11:48:32 PDT 2015

On 06/11/2015 08:52 PM, Tycho Andersen wrote:
> On Thu, Jun 11, 2015 at 07:57:27PM +0300, Pavel Emelyanov wrote:
>>> @@ -154,9 +154,12 @@ struct task_restore_args {
>>>  	pid_t				*helpers /* the TASK_HELPERS to wait on at the end of restore */;
>>>  	int				n_helpers;
>>>  
>>> -	int				proc_attr_current;
>>> -	char				*lsm_profile;
>>> -	int				lsm_profile_len;
>>> +	/*
>>> +	 * proc_fd is a handle to /proc that the restorer blob can use to open
>>> +	 * files there, because some of them can't be opened before the
>>> +	 * restorer blob is called.
>>> +	 */
>>> +	int				proc_fd;
>>
>> We already have the fd for /proc/sys/kernel/ns_last_pid file. I think it's worth
>> just having one fd for /proc and tune the threads forking code to use one.
> 
> Isn't this just an ft for /proc/sys/kernel/ns_last_pid, though, not
> /proc? 

Yup, the one we have on task_args is purely for ns_last_pid.

> I could switch that code to use this fd, if you like, though.

Yes, please. The less descriptors we have there the better (I think).

>>>  #ifdef CONFIG_VDSO
>>>  	unsigned long			vdso_rt_size;
>>> diff --git a/pie/restorer.c b/pie/restorer.c
>>> index 8713c6a..e4a19dc 100644
>>> --- a/pie/restorer.c
>>> +++ b/pie/restorer.c
>>> @@ -95,7 +95,59 @@ static void sigchld_handler(int signal, siginfo_t *siginfo, void *data)
>>>  	sys_exit_group(1);
>>>  }
>>>  
>>> -static int restore_creds(CredsEntry *ce)
>>> +static void pie_strcat(char *dest, char *src)
>>> +{
>>> +	char *p;
>>> +	int off;
>>> +
>>> +	for (p = dest; *p; p++)
>>> +		;
>>> +
>>> +	off = p - dest;
>>> +
>>> +	for (p = src; *p; p++)
>>> +		dest[off + p - src] = *p;
>>> +
>>> +	dest[off + p - src] = 0;
>>> +}
>>> +
>>> +static int lsm_set_label(char *label, int procfd)
>>> +{
>>> +	int ret = -1, len, lsmfd;
>>> +	char path[80] = "self/task/", num[12], *n;
>>> +
>>> +	if (!label)
>>> +		return 0;
>>> +
>>> +	pr_info("restoring lsm profile %s\n", label);
>>> +
>>> +	num[sizeof(num) - 1] = 0;
>>> +	len = vprint_num(num, sizeof(num) - 1, sys_gettid(), &n);
>>> +	pie_strcat(path, n);
>>> +
>>> +	pie_strcat(path, "/attr/current");
>>
>> Can you tune the pie/log_simple.c's print_on_level() routine to allow for
>> sprint() behavior? It has all the required format parsing and will let us
>> get rid of many char[]-s and strcats :)
> 
> So I tried this first, but the sbuf_flush() call (and associated
> logic) in sbuf_putc() makes it so that a lot more code would have to
> change in order to do this. I can take another whack at it if you'd
> like, but it's going to be a pretty big patch based on my previous
> attempt.

I see. Well yes, it was supposed to print long messages having limited
buffer at hands.

How about adding the ->flush callback on the simple_buf and set on to
"NULL" (or routine doing BUG()) when doing the sprintf-like behavior?

-- Pavel