[CRIU] checkpointing processes under seccomp restrictions
Pavel Emelyanov
xemul at parallels.com
Fri May 8 07:57:37 PDT 2015
On 05/08/2015 04:11 AM, Tycho Andersen wrote:
> Hi all,
>
> This afternoon I started hacking on an example branch [1] to checkpoint
> and restore processes in SECCOMP_MODE_STRICT (as an example for how
> things might work if we also wanted to do SECCOMP_MODE_FILTER). It
> wasn't until I finished it that I realized it can't possibly work.
>
> CRIU injects the parasite code into the process, which makes some
> syscalls that the process isn't allowed to do in STRICT (and
> potentially may not be allowed to do in FILTER, depending on how the
> user has configured things). This kills the process, which is
> obviously bad :)
Kills?! Is there a way to fix that?
> What do we do about this? It seems we have at least two options:
>
> 1. Switch things around so the parasite code isn't required. I suppose
> some kernel person NAK'd this earlier, which is why the parasite
> code exists.
I'm afraid this is not an option.
> 2. Allow a root task in the init ns to un-set a process' seccomp mode
> so that we can inject the parasite code successfully.
>
> 3. Some other option that I haven't thought of.
Do you have the list of actions the process (parasite) is not allowed to do?
-- Pavel
More information about the CRIU
mailing list