[CRIU] checkpointing processes under seccomp restrictions

Serge Hallyn serge.hallyn at ubuntu.com
Thu May 7 18:27:59 PDT 2015


Quoting Tycho Andersen (tycho.andersen at canonical.com):
> Hi all,
> 
> This afternoon I started hacking on an example branch [1] to checkpoint
> and restore processes in SECCOMP_MODE_STRICT (as an example for how
> things might work if we also wanted to do SECCOMP_MODE_FILTER). It
> wasn't until I finished it that I realized it can't possibly work.
> 
> CRIU injects the parasite code into the process, which makes some
> syscalls that the process isn't allowed to do in STRICT (and
> potentially may not be allowed to do in FILTER, depending on how the
> user has configured things). This kills the process, which is
> obviously bad :)
> 
> What do we do about this? It seems we have at least two options:
> 
> 1. Switch things around so the parasite code isn't required. I suppose
>    some kernel person NAK'd this earlier, which is why the parasite
>    code exists.
> 
> 2. Allow a root task in the init ns

... who is not seccomp-confined ...

> to un-set a process' seccomp mode
>    so that we can inject the parasite code successfully.

I think (2) is pretty reasonable.

> 3. Some other option that I haven't thought of.
> 
> Thoughts?
> 
> Tycho
> 
> [1]: https://github.com/tych0/criu/commits/seccomp
> _______________________________________________
> CRIU mailing list
> CRIU at openvz.org
> https://lists.openvz.org/mailman/listinfo/criu


More information about the CRIU mailing list