[CRIU] checkpointing processes under seccomp restrictions
Pavel Emelyanov
xemul at parallels.com
Fri May 8 08:05:57 PDT 2015
On 05/08/2015 06:01 PM, Tycho Andersen wrote:
>>> 2. Allow a root task in the init ns to un-set a process' seccomp mode
>>> so that we can inject the parasite code successfully.
>>>
>>> 3. Some other option that I haven't thought of.
>>
>> Do you have the list of actions the process (parasite) is not allowed to do?
>
> In SECCOMP_MODE_STRICT the process is only allowed to do exit,
> sigreturn, read, and write (so all fds must already be open).
In this case we will not even be able to mmap() the memory for parasite :(
> In SECCOMP_MODE_FILTER the restricted syscalls are user defined, so it
> could be anything.
Hm... This sounds promising -- and what's the way to change this mode for
a running process?
-- Pavel
More information about the CRIU
mailing list