[CRIU] [PATCH] seccomp: add a --no-seccomp option to disable dumping seccomp

Pavel Emelyanov xemul at virtuozzo.com
Wed Feb 17 09:36:40 PST 2016 

On 02/17/2016 08:27 PM, Saied Kazemi wrote:
> I am running the containers with --security-opt seccomp:unconfined option,
> so there should be no security risks.

Ouch. Why does criu then sees some seccomp configured on it?

> Now what can we do to make criu check pass when running on kernels that
> don't have seccomp?  The section "Checking That It Works" in 
> http://criu.org/Installation says that the users should see "Looks OK".
> But currently we can't get a "Looks OK" message even with --no-seccomp.
> Pavel had a suggestion on how to redo criu check.

Yup. We should distinguish tree types of features -- those, that are strictly
required to make things work (/proc/pid/map_files, ptrace PEEKSIGINFO ,etc), 
those that are required, but only for "specific cases" (aio remap, tun, etc)
and those that are experimental (e.g. task-diag from Andrey).

But as far as seccomp is concerned, I'm now in doubt -- if there's no seccomp
configured on a task, criu should just dump it even if there's no support
from kernel to dump seccomp. But this seems not to be the case for Saied.

-- Pavel
 
> --Saied
> 
> 
> 
> On Wed, Feb 17, 2016 at 6:50 AM, Tycho Andersen <tycho.andersen at canonical.com <mailto:tycho.andersen at canonical.com>> wrote:
> 
>     On Wed, Feb 17, 2016 at 05:41:28PM +0300, Pavel Emelyanov wrote:
>     > On 02/17/2016 05:15 PM, Tycho Andersen wrote:
>     > > On Wed, Feb 17, 2016 at 01:48:37PM +0300, Pavel Emelyanov wrote:
>     > >> Applied.
>     > >>
>     > >> Am I right, that the current behavior of criu is -- no seccomp configured
>     > >> on a process means no attempt to dump one is performed?
>     > >
>     > > I think so, just to restate: if no seccomp is configured on the
>     > > process than no attempt to dump the /seccomp/ stuff is made (since
>     > > there's nothing to dump). The task itself is still dumped as usual.
>     >
>     > OK :) Then Saied is potentially doing a dangerous thing with this option :)
>     > since tasks will be restored without seccomp stuff configured in.
> 
>     Yes, exactly. It does a pr_warn when it encounters this, at least.
> 
>     Tycho
> 
>

More information about the CRIU mailing list