[CRIU] ✗ travis-ci: failure for series starting with [PATCHv2,1/5] locks: Add c/r of non broken leases (kernel>=v4.1)

Andrei Vagin avagin at virtuozzo.com
Tue Sep 5 00:12:38 MSK 2017


On Sun, Sep 03, 2017 at 05:36:58PM +0300, Pavel Begunkov wrote:
> Seems, CRIU can't set a lease on a file when user namespaces are used.
> So, I found a notice from *fcntl* man:
> 
> "An unprivileged process may take out a lease only on a file whose UID
> (owner) matches the filesystem UID of the process.  A process with the
> CAP_LEASE capability may take out leases on arbitrary files."
> 
> I suppose, that restore stage is performed in user namespace and,
> because of that, filesystem UID of new process differ from the original
> one. Thus, it leads to violation of statements above.
> 
> Could somebody with a better understanding of namespaces in CRIU tell if
> it sounds reasonable and guess what I can do about it, please?

It is possible to use something like this:

diff --git a/criu/file-lock.c b/criu/file-lock.c
index c2db04497..1b75fdfdc 100644
--- a/criu/file-lock.c
+++ b/criu/file-lock.c
@@ -516,6 +516,8 @@ static int restore_breaking_file_lease(FileLockEntry
*fle)
        return 0;
 }
 
+int setfsuid(uid_t fsuid);
+int setfsgid(gid_t fsuid);
 static int restore_file_lease(FileLockEntry *fle)
 {
        int ret;
@@ -523,9 +525,17 @@ static int restore_file_lease(FileLockEntry *fle)
        if (fle->type & LEASE_BREAKING) {
                return restore_breaking_file_lease(fle);
        } else {
+               struct stat st;
+               int old_fsuid;
+               if (fstat(fle->fd, &st)) {
+                       pr_perror("stat");
+                       return 1;
+               }
+               old_fsuid = setfsuid(st.st_uid);
                ret = fcntl(fle->fd, F_SETLEASE, fle->type);
                if (ret < 0)
                        pr_perror("Can't restore non broken lease");
+               setfsuid(old_fsuid);
                return ret;
        }
 }


And if this way will fail too, we can create a slow path, which will
work via the usernsd daemon. Usernsd is running in the root user
namespaces with all capabilities, and it is possible to ask it to
set a lease. You need to look at userns_call().

> 
> 
> On 30/08/17 04:04, Pavel Begunkov wrote:
> > Yeah, thanks. Soon I'll make time to fix it along with one's noticed by
> > Pavel.
> > 
> > On 30/08/17 02:43, Andrei Vagin wrote:
> >> ===================== Run zdtm/static/file_lease01 in uns ======================
> >> Start test
> >> ./file_lease01 --pidfile=file_lease01.pid --outfile=file_lease01.out --filename=file_lease01.test
> >> Run criu dump
> >> Run criu restore
> >> =[log]=> dump/zdtm/static/file_lease01/124/1/restore.log
> >> ------------------------ grep Error ------------------------
> >> (00.308462)      4: 		Create fd for 3
> >> (00.308480)      4: 		Create fd for 4
> >> (00.308486)      4: 		Create fd for 5
> >> (00.308491)      4: 		Create fd for 6
> >> (00.308510)      4: Error (criu/file-lock.c:528): Can't restore non broken lease: Permission denied
> >> (00.310868)      1: Error (criu/cr-restore.c:1527): 4 exited, status=1
> >> (00.346609) uns: calling exit_usernsd (-1, 1)
> >> (00.346678) uns: daemon calls 0x4d3390 (146, -1, 1)
> >> (00.346690) uns: `- daemon exits w/ 0
> >> (00.349075) uns: daemon stopped
> >> (00.349092) Error (criu/cr-restore.c:2412): Restoring FAILED.
> >> ------------------------ ERROR OVER ------------------------
> >> ############## Test zdtm/static/file_lease01 FAIL at CRIU restore ##############
> >>
> >> On Mon, Aug 14, 2017 at 01:12:36AM +0000, Patchwork wrote:
> >>> == Series Details ==
> >>>
> >>> Series: series starting with [PATCHv2,1/5] locks: Add c/r of non broken leases (kernel>=v4.1)
> >>> URL   : https://patchwork.criu.org/series/1885/
> >>> State : failure
> >>>
> >>> == Logs ==
> >>>
> >>> For more details see: https://travis-ci.org/criupatchwork/criu/builds/264198066?utm_source=github_status&utm_medium=notification
> >>> _______________________________________________
> >>> CRIU mailing list
> >>> CRIU at openvz.org
> >>> https://lists.openvz.org/mailman/listinfo/criu
> > 
> 
> -- 
> Yours sincerely,
> Pavel
> 





More information about the CRIU mailing list