[CRIU] checkpointing processes under seccomp restrictions
Pavel Emelyanov
xemul at parallels.com
Fri May 8 08:18:30 PDT 2015
On 05/08/2015 06:12 PM, Tycho Andersen wrote:
>>> In SECCOMP_MODE_FILTER the restricted syscalls are user defined, so it
>>> could be anything.
>>
>> Hm... This sounds promising -- and what's the way to change this mode for
>> a running process?
>
> prctl(PR_SET_SECCOMP, ...);
Ah. And there's even the separate sys_seccomp() syscall for that.
> There is currently no way to remove SECCOMP filters, so multiple calls
> to prctl() are cumulative.
I see. And which is worse, it only works on the calling task, i.e. we will
not be able to turn off or modify the seccomp "from the outside".
So we have to patch the kernel. I don't know which way the community would
prefer, but I personally would try to start with the ptrace() command that
would temporarily (till ptrace detach) turn the seccomp mode off on the task
under trace.
-- Pavel
More information about the CRIU
mailing list