[CRIU] [PATCH 2/2] lsm: get host lsm type from the host mntns

Tycho Andersen tycho.andersen at canonical.com
Tue May 19 06:11:34 PDT 2015


On Tue, May 19, 2015 at 04:07:30PM +0300, Andrew Vagin wrote:
> On Tue, May 19, 2015 at 05:24:59AM -0700, Tycho Andersen wrote:
> > On Mon, May 18, 2015 at 09:50:39PM +0300, Andrey Vagin wrote:
> > > We check files in /sys, so we must do this from host mount namespaces.
> > 
> > Doesn't this get initialized in write_img_inventory, which is called
> > in the same sequence as kerndat_init()? I'm confused as to what this
> > changes.
> 
> write_img_inventory() is called after kerndat_init() and it's only
> called on dump. The bug is triggered on restore, because the mount
> namespace of the restored process doesn't have
> /sys/kernel/security/apparmor/
> 
> I think it's better to initialize the host lsm in a one place for dump
> and restore.
> 
> Currently we initialize the host lsm when we try to use it at a first
> time. It works fine for the dump operation. On restore it doesn't work
> because criu checks files in a restored mount namespace and it does this
> for each process, what isn't optimal.

Ah, I see. Thanks!

Acked-by: Tycho Andersen <tycho.andersen at canonical.com>


More information about the CRIU mailing list