[CRIU] [PATCH 1/7] rst: unmap restore memory after seccomp restore

Tycho Andersen tycho.andersen at canonical.com
Tue Nov 3 22:04:52 PST 2015 

In order to restore seccomp filters, we need to have access to dynamically
allocated memory from the restorer blob, so we should unmap this memory
afterwards. In order to do this, we need to suspend seccomp earlier, right
after we attach to the tasks instead of just before we do the unmap of the
restorer blob itself.

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
 cr-restore.c   | 21 ++++++++++-----------
 pie/restorer.c |  4 ++--
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/cr-restore.c b/cr-restore.c
index a33273c..78709ce 100644
--- a/cr-restore.c
+++ b/cr-restore.c
@@ -1654,6 +1654,16 @@ static int attach_to_tasks(bool root_seized, enum trace_flags *flag)
 				return -1;
 			}
 
+			/*
+			 * Suspend seccomp if necessary. We need to do this because
+			 * although seccomp is restored at the very end of the
+			 * restorer blob (and the final sigreturn is ok), here we're
+			 * doing an munmap in the process, which may be blocked by
+			 * seccomp and cause the task to be killed.
+			 */
+			if (rsti(item)->has_seccomp && suspend_seccomp(pid) < 0)
+				pr_err("failed to suspend seccomp, restore will probably fail...\n");
+
 			ret = ptrace_stop_pie(pid, rsti(item)->breakpoint, flag);
 			if (ret < 0)
 				return -1;
@@ -1694,17 +1704,6 @@ static void finalize_restore(int status)
 			goto detach;
 
 		/* Unmap the restorer blob */
-
-		/*
-		 * Suspend seccomp if necessary. We need to do this because
-		 * although seccomp is restored at the very end of the
-		 * restorer blob (and the final sigreturn is ok), here we're
-		 * doing an munmap in the process, which may be blocked by
-		 * seccomp and cause the task to be killed.
-		 */
-		if (rsti(item)->has_seccomp && suspend_seccomp(pid) < 0)
-			pr_err("failed to suspend seccomp, restore will probably fail...\n");
-
 		ctl = parasite_prep_ctl(pid, NULL);
 		if (ctl == NULL)
 			goto detach;
diff --git a/pie/restorer.c b/pie/restorer.c
index 23829a0..26494f9 100644
--- a/pie/restorer.c
+++ b/pie/restorer.c
@@ -1283,10 +1283,10 @@ long __export_restore_task(struct task_restore_args *args)
 
 	restore_posix_timers(args);
 
-	sys_munmap(args->rst_mem, args->rst_mem_size);
-
 	restore_seccomp(args->seccomp_mode);
 
+	sys_munmap(args->rst_mem, args->rst_mem_size);
+
 	/*
 	 * Sigframe stack.
 	 */
-- 
2.5.0

More information about the CRIU mailing list