<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Aug 15, 2014 at 2:59 AM, Andrew Vagin <span dir="ltr"><<a href="mailto:avagin@parallels.com" target="_blank">avagin@parallels.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="">On Fri, Aug 15, 2014 at 12:22:15PM +0400, Andrew Vagin wrote:<br>
> Hi Sophie,<br>
><br>
> On Wed, Aug 13, 2014 at 07:47:49PM -0700, Sophie Blee-Goldman wrote:<br>
> > Needed for future user namespace support. Capabilities will have to be<br>
> > dumped from the parasite, ie from inside the namespace since there is no<br>
> > obvious way to 'translate' capabilities from the global namespace (unlike<br>
> > with uids and gids, where the id mappings can be used for translation).<br>
><br>
> "capabilities" are not translated between namespaces. They can exist<br>
> only in one userns, where a process lives. If a process is created in a<br>
> new userns, it gets a full set of capabilities in this userns, and<br>
> loses all caps in a parent userns.<br>
><br>
> So if capabilities are not shown in /proc/pid/stat, we have no way to<br>
> get it except of using parasite code.<br></div></blockquote><div><br></div><div>Yes sorry, my explanation was poorly phrased but that is what I meant.</div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class="">
> The patch looks mostly good, but I have a few comments below.<br>
<br>
</div>It's obvious how to fix the last comment. All other comments are cosmetic.<br></blockquote><div><br></div><div>This patch needs to be applied on top of <a href="http://lists.openvz.org/pipermail/criu/2014-August/015572.html">[PATCH 2/4] Move function definition</a>,</div>
<div>which should take care of the compiler error.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Acked-by: Andrew Vagin <<a href="mailto:avagin@parallels.com">avagin@parallels.com</a>><br>
<div><div class="h5"><br>
><br>
> ><br>
> > Signed-off-by: Sophie Blee-Goldman <<a href="mailto:ableegoldman@google.com">ableegoldman@google.com</a>><br>
> > ---<br>
> > arch/arm/syscall.def | 1 +<br>
> > arch/x86/syscall-x86-64.def | 1 +<br>
> > cr-dump.c | 17 +++--------------<br>
> > include/parasite.h | 15 +++++++++++++--<br>
> > include/prctl.h | 3 +++<br>
> > kerndat.c | 2 ++<br>
> > parasite-syscall.c | 11 +++++++++++<br>
> > pie/parasite.c | 36 +++++++++++++++++++++++++++++++++++-<br>
> > 8 files changed, 69 insertions(+), 17 deletions(-)<br>
> ><br>
> > diff --git a/arch/arm/syscall.def b/arch/arm/syscall.def<br>
> > index c539e3e..02eaa65 100644<br>
> > --- a/arch/arm/syscall.def<br>
> > +++ b/arch/arm/syscall.def<br>
> > @@ -59,6 +59,7 @@ getpgid 155 132 (pid_t pid)<br>
> > setfsuid 151 138 (int fsuid)<br>
> > setfsgid 152 139 (int fsgid)<br>
> > getsid 156 147 (void)<br>
> > +capget 90 184 (struct cap_header *h, struct cap_data *d)<br>
> > capset 91 185 (struct cap_header *h, struct cap_data *d)<br>
> > rt_sigqueueinfo 138 178 (pid_t pid, int sig, siginfo_t *info)<br>
> > setpriority 140 97 (int which, int who, int nice)<br>
> > diff --git a/arch/x86/syscall-x86-64.def b/arch/x86/syscall-x86-64.def<br>
> > index 878cf79..ec86dfe 100644<br>
> > --- a/arch/x86/syscall-x86-64.def<br>
> > +++ b/arch/x86/syscall-x86-64.def<br>
> > @@ -59,6 +59,7 @@ __NR_getpgid 121 sys_getpgid (pid_t pid)<br>
> > __NR_setfsuid 122 sys_setfsuid (int fsuid)<br>
> > __NR_setfsgid 123 sys_setfsgid (int fsgid)<br>
> > __NR_getsid 124 sys_getsid (void)<br>
> > +__NR_capget 125 sys_capget (struct cap_header *h, struct cap_data *d)<br>
> > __NR_capset 126 sys_capset (struct cap_header *h, struct cap_data *d)<br>
> > __NR_rt_sigqueueinfo 129 sys_rt_sigqueueinfo (pid_t pid, int sig, siginfo_t *info)<br>
> > __NR_sigaltstack 131 sys_sigaltstack (const void *uss, void *uoss)<br>
> > diff --git a/cr-dump.c b/cr-dump.c<br>
> > index 1700d9d..f52af65 100644<br>
> > --- a/cr-dump.c<br>
> > +++ b/cr-dump.c<br>
> > @@ -502,10 +502,6 @@ static int dump_task_creds(struct parasite_ctl *ctl,<br>
> > {<br>
> > CredsEntry ce = CREDS_ENTRY__INIT;<br>
> ><br>
> > - pr_info("\n");<br>
> > - pr_info("Dumping creds for %d)\n", ctl->pid.real);<br>
> > - pr_info("----------------------------------------\n");<br>
> > -<br>
> > ce.uid = cr->uids[0];<br>
> > ce.gid = cr->gids[0];<br>
> > ce.euid = cr->uids[1];<br>
> > @@ -515,16 +511,9 @@ static int dump_task_creds(struct parasite_ctl *ctl,<br>
> > ce.fsuid = cr->uids[3];<br>
> > ce.fsgid = cr->gids[3];<br>
> ><br>
> > - BUILD_BUG_ON(CR_CAP_SIZE != PROC_CAP_SIZE);<br>
> > -<br>
> > - ce.n_cap_inh = CR_CAP_SIZE;<br>
> > - ce.cap_inh = cr->cap_inh;<br>
> > - ce.n_cap_prm = CR_CAP_SIZE;<br>
> > - ce.cap_prm = cr->cap_prm;<br>
> > - ce.n_cap_eff = CR_CAP_SIZE;<br>
> > - ce.cap_eff = cr->cap_eff;<br>
> > - ce.n_cap_bnd = CR_CAP_SIZE;<br>
> > - ce.cap_bnd = cr->cap_bnd;<br>
> > + pr_info("\n");<br>
> > + pr_info("Dumping creds for %d)\n", ctl->pid.real);<br>
> > + pr_info("----------------------------------------\n");<br>
> ><br>
> > if (parasite_dump_creds(ctl, &ce) < 0)<br>
> > return -1;<br>
> > diff --git a/include/parasite.h b/include/parasite.h<br>
> > index af81d85..d6d243d 100644<br>
> > --- a/include/parasite.h<br>
> > +++ b/include/parasite.h<br>
> > @@ -166,10 +166,21 @@ struct parasite_dump_misc {<br>
> > * Calculate how long we can make the groups array in parasite_dump_creds<br>
> > * and still fit the struct in one page<br>
> > */<br>
> > -#define PARASITE_MAX_GROUPS \<br>
> > - ((PAGE_SIZE - 2 * sizeof(unsigned int)) / sizeof(unsigned int))<br>
> > +#define PARASITE_MAX_GROUPS \<br>
> > + (PAGE_SIZE \<br>
> > + - sizeof(unsigned int) /* cap_last_cap */ \<br>
> > + - 4 * CR_CAP_SIZE * sizeof(u32) /* cap_{inh,prm,eff,bnd} */ \<br>
> > + - 2 * sizeof(unsigned int) /* secbits, ngroups*/ \<br>
> > + ) / sizeof(unsigned int) /* groups */<br>
> ><br>
> > struct parasite_dump_creds {<br>
> > + unsigned int cap_last_cap;<br>
> > +<br>
> > + u32 cap_inh[CR_CAP_SIZE];<br>
> > + u32 cap_prm[CR_CAP_SIZE];<br>
> > + u32 cap_eff[CR_CAP_SIZE];<br>
> > + u32 cap_bnd[CR_CAP_SIZE];<br>
> > +<br>
> > unsigned int secbits;<br>
> > unsigned int ngroups;<br>
> > unsigned int groups[PARASITE_MAX_GROUPS];<br>
><br>
> Maybe we may rewrite this code like this:<br>
><br>
> struct parasite_dump_creds {<br>
> unsigned int cap_last_cap;<br>
><br>
> u32 cap_inh[CR_CAP_SIZE];<br>
> u32 cap_prm[CR_CAP_SIZE];<br>
> u32 cap_eff[CR_CAP_SIZE];<br>
> u32 cap_bnd[CR_CAP_SIZE];<br>
><br>
> unsigned int secbits;<br>
> unsigned int ngroups;<br>
> unsigned int groups[0];<br>
> };<br>
><br>
> #define PARASITE_MAX_GROUPS (PAGE_SIZE - sizeof(struct parasite_dump_creds)) /<br>
> sizeof(unsigned int)<br>
><br>
> > diff --git a/include/prctl.h b/include/prctl.h<br>
> > index b815b96..70db7b9 100644<br>
> > --- a/include/prctl.h<br>
> > +++ b/include/prctl.h<br>
> > @@ -7,6 +7,9 @@<br>
> > #ifndef PR_GET_NAME<br>
> > # define PR_GET_NAME 16<br>
> > #endif<br>
> > +#ifndef PR_CAPBSET_READ<br>
> > +# define PR_CAPBSET_READ 23<br>
> > +#endif<br>
> > #ifndef PR_CAPBSET_DROP<br>
> > # define PR_CAPBSET_DROP 24<br>
> > #endif<br>
> > diff --git a/kerndat.c b/kerndat.c<br>
> > index 0fee20b..3c87f6c 100644<br>
> > --- a/kerndat.c<br>
> > +++ b/kerndat.c<br>
> > @@ -229,6 +229,8 @@ int kerndat_init(void)<br>
> > ret = kerndat_get_dirty_track();<br>
> > if (!ret)<br>
> > ret = init_zero_page_pfn();<br>
> > + if (!ret)<br>
> > + ret = get_last_cap();<br>
><br>
><br>
> >C kerndat.o<br>
> kerndat.c: In function ‘kerndat_init’:<br>
> kerndat.c:221:3: error: implicit declaration of function ‘get_last_cap’<br>
> [-Werror=implicit-function-declaration]<br>
> ret = get_last_cap();<br>
> ^<br>
> cc1: all warnings being treated as errors<br>
><br>
> > return ret;<br>
> > }<br>
><br>
> Thanks,<br>
> Andrew<br>
</div></div>> _______________________________________________<br>
> CRIU mailing list<br>
> <a href="mailto:CRIU@openvz.org">CRIU@openvz.org</a><br>
> <a href="https://lists.openvz.org/mailman/listinfo/criu" target="_blank">https://lists.openvz.org/mailman/listinfo/criu</a><br>
</blockquote></div><br></div></div>