[CRIU] checkpointing processes under seccomp restrictions
Tycho Andersen
tycho.andersen at canonical.com
Fri May 8 08:12:33 PDT 2015
On Fri, May 08, 2015 at 06:05:57PM +0300, Pavel Emelyanov wrote:
> On 05/08/2015 06:01 PM, Tycho Andersen wrote:
>
> >>> 2. Allow a root task in the init ns to un-set a process' seccomp mode
> >>> so that we can inject the parasite code successfully.
> >>>
> >>> 3. Some other option that I haven't thought of.
> >>
> >> Do you have the list of actions the process (parasite) is not allowed to do?
> >
> > In SECCOMP_MODE_STRICT the process is only allowed to do exit,
> > sigreturn, read, and write (so all fds must already be open).
>
> In this case we will not even be able to mmap() the memory for parasite :(
Right.
> > In SECCOMP_MODE_FILTER the restricted syscalls are user defined, so it
> > could be anything.
>
> Hm... This sounds promising -- and what's the way to change this mode for
> a running process?
prctl(PR_SET_SECCOMP, ...);
There is currently no way to remove SECCOMP filters, so multiple calls
to prctl() are cumulative.
Tycho
> -- Pavel
>
More information about the CRIU
mailing list