[CRIU] [PATCH 1/5] rst: unmap restore memory after seccomp restore

Tycho Andersen tycho.andersen at canonical.com
Fri Sep 4 09:22:11 PDT 2015 

In order to restore seccomp filters, we need to have access to dynamically
allocated memory from the restorer blob, so we should unmap this memory
afterwards. In order to do this, we need to suspend seccomp earlier, right
after we attach to the tasks instead of just before we do the unmap of the
restorer blob itself.

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
 cr-restore.c   | 21 ++++++++++-----------
 pie/restorer.c |  4 ++--
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/cr-restore.c b/cr-restore.c
index b8b4473..9b71e36 100644
--- a/cr-restore.c
+++ b/cr-restore.c
@@ -1653,6 +1653,16 @@ static int attach_to_tasks(bool root_seized, enum trace_flags *flag)
 				return -1;
 			}
 
+			/*
+			 * Suspend seccomp if necessary. We need to do this because
+			 * although seccomp is restored at the very end of the
+			 * restorer blob (and the final sigreturn is ok), here we're
+			 * doing an munmap in the process, which may be blocked by
+			 * seccomp and cause the task to be killed.
+			 */
+			if (rsti(item)->has_seccomp && suspend_seccomp(pid) < 0)
+				pr_err("failed to suspend seccomp, restore will probably fail...\n");
+
 			ret = ptrace_stop_pie(pid, rsti(item)->breakpoint, flag);
 			if (ret < 0)
 				return -1;
@@ -1693,17 +1703,6 @@ static void finalize_restore(int status)
 			goto detach;
 
 		/* Unmap the restorer blob */
-
-		/*
-		 * Suspend seccomp if necessary. We need to do this because
-		 * although seccomp is restored at the very end of the
-		 * restorer blob (and the final sigreturn is ok), here we're
-		 * doing an munmap in the process, which may be blocked by
-		 * seccomp and cause the task to be killed.
-		 */
-		if (rsti(item)->has_seccomp && suspend_seccomp(pid) < 0)
-			pr_err("failed to suspend seccomp, restore will probably fail...\n");
-
 		ctl = parasite_prep_ctl(pid, NULL);
 		if (ctl == NULL)
 			goto detach;
diff --git a/pie/restorer.c b/pie/restorer.c
index 5e1db1f..b5121db 100644
--- a/pie/restorer.c
+++ b/pie/restorer.c
@@ -1283,10 +1283,10 @@ long __export_restore_task(struct task_restore_args *args)
 
 	restore_posix_timers(args);
 
-	sys_munmap(args->rst_mem, args->rst_mem_size);
-
 	restore_seccomp(args->seccomp_mode);
 
+	sys_munmap(args->rst_mem, args->rst_mem_size);
+
 	/*
 	 * Sigframe stack.
 	 */
-- 
2.5.0

More information about the CRIU mailing list