[CRIU] checkpointing processes under seccomp restrictions
Serge Hallyn
serge.hallyn at ubuntu.com
Thu May 7 18:27:59 PDT 2015
Quoting Tycho Andersen (tycho.andersen at canonical.com):
> Hi all,
>
> This afternoon I started hacking on an example branch [1] to checkpoint
> and restore processes in SECCOMP_MODE_STRICT (as an example for how
> things might work if we also wanted to do SECCOMP_MODE_FILTER). It
> wasn't until I finished it that I realized it can't possibly work.
>
> CRIU injects the parasite code into the process, which makes some
> syscalls that the process isn't allowed to do in STRICT (and
> potentially may not be allowed to do in FILTER, depending on how the
> user has configured things). This kills the process, which is
> obviously bad :)
>
> What do we do about this? It seems we have at least two options:
>
> 1. Switch things around so the parasite code isn't required. I suppose
> some kernel person NAK'd this earlier, which is why the parasite
> code exists.
>
> 2. Allow a root task in the init ns
... who is not seccomp-confined ...
> to un-set a process' seccomp mode
> so that we can inject the parasite code successfully.
I think (2) is pretty reasonable.
> 3. Some other option that I haven't thought of.
>
> Thoughts?
>
> Tycho
>
> [1]: https://github.com/tych0/criu/commits/seccomp
> _______________________________________________
> CRIU mailing list
> CRIU at openvz.org
> https://lists.openvz.org/mailman/listinfo/criu
More information about the CRIU
mailing list