[CRIU] checkpointing processes under seccomp restrictions
Tycho Andersen
tycho.andersen at canonical.com
Thu May 7 18:11:43 PDT 2015
Hi all,
This afternoon I started hacking on an example branch [1] to checkpoint
and restore processes in SECCOMP_MODE_STRICT (as an example for how
things might work if we also wanted to do SECCOMP_MODE_FILTER). It
wasn't until I finished it that I realized it can't possibly work.
CRIU injects the parasite code into the process, which makes some
syscalls that the process isn't allowed to do in STRICT (and
potentially may not be allowed to do in FILTER, depending on how the
user has configured things). This kills the process, which is
obviously bad :)
What do we do about this? It seems we have at least two options:
1. Switch things around so the parasite code isn't required. I suppose
some kernel person NAK'd this earlier, which is why the parasite
code exists.
2. Allow a root task in the init ns to un-set a process' seccomp mode
so that we can inject the parasite code successfully.
3. Some other option that I haven't thought of.
Thoughts?
Tycho
[1]: https://github.com/tych0/criu/commits/seccomp
More information about the CRIU
mailing list