[CRIU] [PATCH 04/27] seccomp: Collect seccomp data on per-thread basis

Cyrill Gorcunov gorcunov at openvz.org
Thu Mar 1 15:41:26 MSK 2018 

From: Cyrill Gorcunov <gorcunov at virtuozzo.com>

No real handling yet, preparation for further development.

Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
---
 criu/include/pstree.h  |  7 +++----
 criu/include/seccomp.h |  9 +++++++++
 criu/pstree.c          |  1 +
 criu/seccomp.c         | 23 +++++++++++++++++++++++
 criu/seize.c           | 12 ++++++++++++
 5 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/criu/include/pstree.h b/criu/include/pstree.h
index 08f25384f2c5..c223238b6be2 100644
--- a/criu/include/pstree.h
+++ b/criu/include/pstree.h
@@ -4,6 +4,7 @@
 #include "common/list.h"
 #include "common/lock.h"
 #include "pid.h"
+#include "xmalloc.h"
 #include "images/core.pb-c.h"
 
 /*
@@ -59,10 +60,8 @@ static inline struct rst_info *rsti(struct pstree_item *i)
 struct ns_id;
 struct dmp_info {
 	struct ns_id *netns;
-	/*
-	 * We keep the creds here so that we can compare creds while seizing
-	 * threads. Dumping tasks with different creds is not supported.
-	 */
+	struct seccomp_entry *seccomp_entry;
+	size_t nr_seccomp_entry;
 	struct proc_status_creds *pi_creds;
 	struct page_pipe *mem_pp;
 	struct parasite_ctl *parasite_ctl;
diff --git a/criu/include/seccomp.h b/criu/include/seccomp.h
index b50ea34e20bb..d1b2dcd3d81d 100644
--- a/criu/include/seccomp.h
+++ b/criu/include/seccomp.h
@@ -27,6 +27,15 @@
 #define SECCOMP_FILTER_FLAG_TSYNC 1
 #endif
 
+struct pstree_item;
+
+struct seccomp_entry {
+	pid_t			tid;
+	unsigned int		mode;
+};
+
+extern int seccomp_collect_entry(const struct pstree_item *item, pid_t tid, unsigned int mode);
+
 struct seccomp_info {
 	struct seccomp_info	*prev;
 	int			id;
diff --git a/criu/pstree.c b/criu/pstree.c
index 7ecdba00c139..3b802a64a419 100644
--- a/criu/pstree.c
+++ b/criu/pstree.c
@@ -180,6 +180,7 @@ void free_pstree_item(struct pstree_item *item)
 {
 	pstree_free_cores(item);
 	xfree(item->threads);
+	xfree(dmpi(item)->seccomp_entry);
 	xfree(item->pid);
 	xfree(item->pgid);
 	xfree(item->sid);
diff --git a/criu/seccomp.c b/criu/seccomp.c
index 63a1eb298b58..16e965820838 100644
--- a/criu/seccomp.c
+++ b/criu/seccomp.c
@@ -18,6 +18,29 @@
 #include "protobuf.h"
 #include "images/seccomp.pb-c.h"
 
+int seccomp_collect_entry(const struct pstree_item *item, pid_t tid, unsigned int mode)
+{
+	struct dmp_info *dinfo = dmpi(item);
+	struct seccomp_entry *entry;
+	size_t new_size;
+
+	new_size = sizeof(*dinfo->seccomp_entry) * (dinfo->nr_seccomp_entry + 1);
+	if (xrealloc_safe(&dinfo->seccomp_entry, new_size)) {
+		pr_err("Can't collect seccomp entry for item %d tid %d\n",
+		       item->pid->real, tid);
+		return -ENOMEM;
+	}
+
+	entry		= &dinfo->seccomp_entry[dinfo->nr_seccomp_entry];
+	entry->tid	= tid;
+	entry->mode	= mode;
+
+	dinfo->nr_seccomp_entry++;
+	pr_debug("Collected tid %d mode %#x (%zu entries)\n",
+		 tid, mode, dinfo->nr_seccomp_entry);
+	return 0;
+}
+
 /* populated on dump during collect_seccomp_filters() */
 static int next_filter_id = 0;
 static struct seccomp_info **filters = NULL;
diff --git a/criu/seize.c b/criu/seize.c
index e1780c7ec063..722ffc5bb79a 100644
--- a/criu/seize.c
+++ b/criu/seize.c
@@ -17,6 +17,7 @@
 #include "criu-log.h"
 #include <compel/ptrace.h>
 #include "proc_parse.h"
+#include "seccomp.h"
 #include "seize.h"
 #include "stats.h"
 #include "xmalloc.h"
@@ -521,6 +522,10 @@ static int collect_children(struct pstree_item *item)
 		c->pid->state = ret;
 		list_add_tail(&c->sibling, &item->children);
 
+		ret = seccomp_collect_entry(c, pid, creds->s.seccomp_mode);
+		if (ret < 0)
+			goto free;
+
 		/* Here is a recursive call (Depth-first search) */
 		ret = collect_task(c);
 		if (ret < 0)
@@ -762,6 +767,9 @@ static int collect_threads(struct pstree_item *item)
 			goto err;
 		}
 
+		if (seccomp_collect_entry(item, pid, t_creds.s.seccomp_mode))
+			goto err;
+
 		if (!creds_dumpable(dmpi(item)->pi_creds, &t_creds))
 			goto err;
 
@@ -891,6 +899,10 @@ int collect_pstree(void)
 	root_item->pid->state = ret;
 	dmpi(root_item)->pi_creds = creds;
 
+	ret = seccomp_collect_entry(root_item, pid, creds->s.seccomp_mode);
+	if (ret < 0)
+		goto err;
+
 	ret = collect_task(root_item);
 	if (ret < 0)
 		goto err;
-- 
2.14.3

More information about the CRIU mailing list