[CRIU] checkpointing processes under seccomp restrictions

Tycho Andersen tycho.andersen at canonical.com
Fri May 8 08:12:33 PDT 2015


On Fri, May 08, 2015 at 06:05:57PM +0300, Pavel Emelyanov wrote:
> On 05/08/2015 06:01 PM, Tycho Andersen wrote:
> 
> >>> 2. Allow a root task in the init ns to un-set a process' seccomp mode
> >>>    so that we can inject the parasite code successfully.
> >>>
> >>> 3. Some other option that I haven't thought of.
> >>
> >> Do you have the list of actions the process (parasite) is not allowed to do?
> > 
> > In SECCOMP_MODE_STRICT the process is only allowed to do exit,
> > sigreturn, read, and write (so all fds must already be open). 
> 
> In this case we will not even be able to mmap() the memory for parasite :(

Right.

> > In SECCOMP_MODE_FILTER the restricted syscalls are user defined, so it
> > could be anything.
> 
> Hm... This sounds promising -- and what's the way to change this mode for
> a running process?

prctl(PR_SET_SECCOMP, ...);

There is currently no way to remove SECCOMP filters, so multiple calls
to prctl() are cumulative.

Tycho

> -- Pavel
> 


More information about the CRIU mailing list