[CRIU] [PATCH 08/27] seccomp: Drop pi_creds from dmp_info
Cyrill Gorcunov
gorcunov at openvz.org
Thu Mar 1 15:41:30 MSK 2018
From: Cyrill Gorcunov <gorcunov at virtuozzo.com>
No longer needed. Because of this we don't
need to allocate this entry dynamically.
Also creds_dumpable no longer needed because
the only thing we need to check is seccomp mode.
Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
---
criu/cr-dump.c | 19 ++++++++-----
criu/include/pstree.h | 2 +-
criu/seccomp.c | 4 +--
criu/seize.c | 77 ++++++++++++---------------------------------------
4 files changed, 32 insertions(+), 70 deletions(-)
diff --git a/criu/cr-dump.c b/criu/cr-dump.c
index 094d016489ea..7a2a5fa6e51e 100644
--- a/criu/cr-dump.c
+++ b/criu/cr-dump.c
@@ -746,7 +746,7 @@ static int dump_task_core_all(struct parasite_ctl *ctl,
CoreEntry *core = item->core[0];
pid_t pid = item->pid->real;
int ret = -1;
- struct proc_status_creds *creds;
+ struct seccomp_entry *entry;
struct parasite_dump_cgroup_args cgroup_args, *info = NULL;
BUILD_BUG_ON(sizeof(cgroup_args) < PARASITE_ARG_SIZE_MIN);
@@ -759,15 +759,20 @@ static int dump_task_core_all(struct parasite_ctl *ctl,
if (ret < 0)
goto err;
- creds = dmpi(item)->pi_creds;
- if (creds->s.seccomp_mode != SECCOMP_MODE_DISABLED) {
- pr_info("got seccomp mode %d for %d\n", creds->s.seccomp_mode, vpid(item));
+ entry = seccomp_find_entry(item, pid);
+ if (!entry) {
+ ret = -1;
+ goto err;
+ }
+
+ if (entry->mode != SECCOMP_MODE_DISABLED) {
+ pr_info("got seccomp mode %d for %d\n", entry->mode, vpid(item));
core->tc->has_seccomp_mode = true;
- core->tc->seccomp_mode = creds->s.seccomp_mode;
+ core->tc->seccomp_mode = entry->mode;
- if (creds->s.seccomp_mode == SECCOMP_MODE_FILTER) {
+ if (entry->mode == SECCOMP_MODE_FILTER) {
core->tc->has_seccomp_filter = true;
- core->tc->seccomp_filter = creds->last_filter;
+ core->tc->seccomp_filter = dmpi(item)->last_filter;
}
}
diff --git a/criu/include/pstree.h b/criu/include/pstree.h
index c223238b6be2..ad67eb07e799 100644
--- a/criu/include/pstree.h
+++ b/criu/include/pstree.h
@@ -62,7 +62,7 @@ struct dmp_info {
struct ns_id *netns;
struct seccomp_entry *seccomp_entry;
size_t nr_seccomp_entry;
- struct proc_status_creds *pi_creds;
+ unsigned int last_filter;
struct page_pipe *mem_pp;
struct parasite_ctl *parasite_ctl;
};
diff --git a/criu/seccomp.c b/criu/seccomp.c
index 90a708117390..00a1a94656b7 100644
--- a/criu/seccomp.c
+++ b/criu/seccomp.c
@@ -139,7 +139,7 @@ static int collect_filter_for_pstree(struct pstree_item *item)
}
}
- last_filter = dmpi(item->parent)->pi_creds->last_filter;
+ last_filter = dmpi(item->parent)->last_filter;
inherited = find_inherited(last_filter, buf, len, meta);
if (inherited) {
bool found = false;
@@ -200,7 +200,7 @@ static int collect_filter_for_pstree(struct pstree_item *item)
next_filter_id += info_count;
- dmpi(item)->pi_creds->last_filter = infos->id;
+ dmpi(item)->last_filter = infos->id;
/* Don't free the part of the tree we just successfully acquired */
infos = NULL;
diff --git a/criu/seize.c b/criu/seize.c
index 722ffc5bb79a..2223ab27e362 100644
--- a/criu/seize.c
+++ b/criu/seize.c
@@ -464,7 +464,7 @@ static int collect_children(struct pstree_item *item)
nr_inprogress = 0;
for (i = 0; i < nr_children; i++) {
struct pstree_item *c;
- struct proc_status_creds *creds;
+ struct proc_status_creds creds;
pid_t pid = ch[i];
/* Is it already frozen? */
@@ -490,13 +490,7 @@ static int collect_children(struct pstree_item *item)
/* fails when meets a zombie */
compel_interrupt_task(pid);
- creds = xzalloc(sizeof(*creds));
- if (!creds) {
- ret = -1;
- goto free;
- }
-
- ret = compel_wait_task(pid, item->pid->real, parse_task_status, NULL, &creds->s, c);
+ ret = compel_wait_task(pid, item->pid->real, parse_task_status, NULL, &creds.s, c);
if (ret < 0) {
/*
* Here is a race window between parse_children() and seize(),
@@ -507,7 +501,6 @@ static int collect_children(struct pstree_item *item)
*/
ret = 0;
free_pstree_item(c);
- xfree(creds);
continue;
}
@@ -516,13 +509,12 @@ static int collect_children(struct pstree_item *item)
else
processes_to_wait--;
- dmpi(c)->pi_creds = creds;
c->pid->real = pid;
c->parent = item;
c->pid->state = ret;
list_add_tail(&c->sibling, &item->children);
- ret = seccomp_collect_entry(c, pid, creds->s.seccomp_mode);
+ ret = seccomp_collect_entry(c, pid, creds.s.seccomp_mode);
if (ret < 0)
goto free;
@@ -636,46 +628,6 @@ static inline bool thread_collected(struct pstree_item *i, pid_t tid)
return false;
}
-static bool creds_dumpable(struct proc_status_creds *parent,
- struct proc_status_creds *child)
-{
- /*
- * - seccomp filters should be passed via
- * semantic comparison (FIXME) but for
- * now we require them to be exactly
- * identical
- */
- if (parent->s.seccomp_mode != child->s.seccomp_mode ||
- parent->last_filter != child->last_filter) {
- if (!pr_quelled(LOG_DEBUG)) {
- pr_debug("Creds undumpable (parent:child)\n"
- " uids: %d:%d %d:%d %d:%d %d:%d\n"
- " gids: %d:%d %d:%d %d:%d %d:%d\n"
- " state: %d:%d"
- " ppid: %d:%d\n"
- " shdpnd: %llu:%llu\n"
- " seccomp_mode: %d:%d\n"
- " last_filter: %u:%u\n",
- parent->uids[0], child->uids[0],
- parent->uids[1], child->uids[1],
- parent->uids[2], child->uids[2],
- parent->uids[3], child->uids[3],
- parent->gids[0], child->gids[0],
- parent->gids[1], child->gids[1],
- parent->gids[2], child->gids[2],
- parent->gids[3], child->gids[3],
- parent->s.state, child->s.state,
- parent->s.ppid, child->s.ppid,
- parent->s.shdpnd, child->s.shdpnd,
- parent->s.seccomp_mode, child->s.seccomp_mode,
- parent->last_filter, child->last_filter);
- }
- return false;
- }
-
- return true;
-}
-
static int parse_thread_status(int pid, struct seize_task_status *ss, void *thread)
{
return parse_pid_status(pid, ss, NULL, thread);
@@ -683,10 +635,15 @@ static int parse_thread_status(int pid, struct seize_task_status *ss, void *thre
static int collect_threads(struct pstree_item *item)
{
+ struct seccomp_entry *task_seccomp_entry;
struct pid **threads = NULL;
int nr_threads = 0, i = 0, j, ret, nr_inprogress, nr_stopped = 0;
int level = item->pid->level, id;
+ task_seccomp_entry = seccomp_find_entry(item, item->pid->real);
+ if (!task_seccomp_entry)
+ goto err;
+
ret = parse_threads(item->pid->real, &threads, &nr_threads);
if (ret < 0)
goto err;
@@ -770,8 +727,13 @@ static int collect_threads(struct pstree_item *item)
if (seccomp_collect_entry(item, pid, t_creds.s.seccomp_mode))
goto err;
- if (!creds_dumpable(dmpi(item)->pi_creds, &t_creds))
+ if (task_seccomp_entry->mode != t_creds.s.seccomp_mode) {
+ pr_err("Unsupported seccomp mode change: tids %d %d modes %d %d\n",
+ item->pid->real, pid,
+ task_seccomp_entry->mode,
+ t_creds.s.seccomp_mode);
goto err;
+ }
if (ret == TASK_STOPPED) {
nr_stopped++;
@@ -863,7 +825,7 @@ int collect_pstree(void)
{
pid_t pid = root_item->pid->real;
int ret = -1;
- struct proc_status_creds *creds;
+ struct proc_status_creds creds;
timing_start(TIME_FREEZING);
@@ -882,11 +844,7 @@ int collect_pstree(void)
goto err;
}
- creds = xzalloc(sizeof(*creds));
- if (!creds)
- goto err;
-
- ret = compel_wait_task(pid, -1, parse_task_status, NULL, &creds->s, root_item);
+ ret = compel_wait_task(pid, -1, parse_task_status, NULL, &creds.s, root_item);
if (ret < 0)
goto err;
@@ -897,9 +855,8 @@ int collect_pstree(void)
pr_info("Seized task %d, state %d\n", pid, ret);
root_item->pid->state = ret;
- dmpi(root_item)->pi_creds = creds;
- ret = seccomp_collect_entry(root_item, pid, creds->s.seccomp_mode);
+ ret = seccomp_collect_entry(root_item, pid, creds.s.seccomp_mode);
if (ret < 0)
goto err;
--
2.14.3
More information about the CRIU
mailing list