[CRIU] [PATCH 0/4] Make CRIU work from with non-root prios

Cyrill Gorcunov gorcunov at gmail.com
Mon Sep 28 09:30:00 PDT 2015


On Fri, Sep 25, 2015 at 01:01:35AM +0300, Pavel Emelyanov wrote:
> Hi,
> 
> This is prerequisite to address the recent CVE-s. We should make criu be
> able to work from regular user. The biggest obstacle so far is -- inability
> to use map_files directory. So 3 out of 4 patches in this set handle _this_.
> 
> The rest one handles the access to pagemap and soft-dirty tracking reset.
> The latter is fixed in recent kernels (just PFN-s are not reported, but
> we can live w/o it). Soft-dirty tracking will not be accessible for regular
> user dumps, but this also can be fixed later.
> 
> Cyrill, I need your help on several things with this set:
> 
> 1. fixing the VDSO detection/fixups, as I currently just ignore them
> 2. passing correct name to memfd in patch #4, right now I use argv[0]
>    of the task we dump %)
> 3. removing the service from default setup

Pavel, I've pushed all my changes (together with your series) into
@nonroot branch. Please fetch and take a look (to not drow the list
with same patches).

I've manually dumped pipe00 test but on restore (as a regular user
under Fedora with 4.6.1 kernel) it failed trying to write ns-last-pid
kernel file, investigating...

Anyway, take a look on the series once time permit.
---
The following changes since commit 3dc209e21618ee4412a303155c922ff9153f3185:

  sk: Print socket protocol when searching (2015-09-25 18:31:22 +0300)

are available in the git repository at:

  git://github.com/cyrillos/crtools.git nonroot

for you to fetch changes up to cf3808b8dc69bf6e64c7dc87359505e6447c9cbc:

  pagemap-cache: Use greedy mode if pagemap inaccessible (2015-09-28 19:16:21 +0300)

----------------------------------------------------------------
Cyrill Gorcunov (5):
      parasite: Add @pad argument for syscall run
      parasite: Pass @MEMFD_FNAME as predefined memfd name
      vdso: Don't fail if pagemap is not accessbile
      proc_parse: Don't try to open special mappings like heap, vsyscall and such
      pagemap-cache: Use greedy mode if pagemap inaccessible

Pavel Emelyanov (4):
      kerndat: Read anon shmem dev via maps
      dump: Dont read prohibited kernel files
      proc: Use smaps path for file
      parasite: Load PIE blob via memfd

 cr-dump.c                  |   4 +-
 cr-exec.c                  |   2 +-
 include/parasite-syscall.h |   8 +++-
 include/parasite.h         |   2 +
 kerndat.c                  |  79 ++++++++++++++++++++++++++----
 mem.c                      |   2 -
 pagemap-cache.c            |  27 ++++++++---
 parasite-syscall.c         | 116 +++++++++++++++++++++++++++++++++++++++++----
 pie/parasite.c             |   9 ++++
 proc_parse.c               |  97 ++++++++++++++++++++++++++++++++++---
 vdso.c                     |  62 ++++++++++++++++--------
 11 files changed, 350 insertions(+), 58 deletions(-)


More information about the CRIU mailing list