[CRIU] Q: Seccomp in multi-thread tasks
Tycho Andersen
tycho.andersen at canonical.com
Mon Jan 9 03:18:32 PST 2017
On Mon, Jan 09, 2017 at 12:47:24PM +0300, Pavel Emelyanov wrote:
> Hi, Tycho!
>
> While looking at the https://github.com/xemul/criu/issues/268 issue I've
> noticed that since commit 221af18e (seccomp: add support for SECCOMP_MODE_FILTER)
> the call to restore_seccomp() is removed from __export_restore_thread() which
> should result in seccomp not being restored for sub-threads.
>
> Am I correct with this? What was the reason for this removal?
I think it's because the filters are stored on the creds struct, which
CRIU only keeps one copy of right now. We require any filters to be
the same across all threads in a thread group, similar to how we do
the rest of the members of the creds struct (via
proc_status_creds_eq), so I think the idea was that we'd only have to
restore the seccomp policy once. That said, it looks wrong, since
there's no way to restore the seccomp policy across the whole thread
group, so we should probably re-add it.
Tycho
> -- Pavel
More information about the CRIU
mailing list