[Devel] Re: [PATCH 1/1] cr: define CHECKPOINT_SUBTREE flag and sysctl
Serge E. Hallyn
serge at hallyn.com
Fri Apr 24 19:51:54 PDT 2009
Quoting Serge E. Hallyn (serge at hallyn.com):
> Quoting Nathan Lynch (ntl at pobox.com):
> > "Serge E. Hallyn" <serue at us.ibm.com> writes:
> > > Define a CHECKPOINT_SUBTREE flag for sys_checkpoint() which
> > > says it's ok if the the checkpointed set of tasks are not
> > > a fully isolated container without leaks.
> > >
> > > Define a sysctl 'ckpt_subtree_allowed' which determines
> > > whether subtree checkpoints are ok. If that sysctl,
> > > ckpt_subtree_allowed, is 0, then the CHECKPOINT_SUBTREE flag
> > > may not be used. Also, if that sysctl is 0, then both
> > > sys_checkpoint() and sys_restart() always require
> > > CAP_SYS_ADMIN.
> >
> > Whether subtree checkpoint is allowed and whether non-admin checkpoint
> > is allowed are independent constraints, no? Should this really be a
> > single flag?
>
> Well it's not about the flag, it's about the sysctl. So actually
> I don't have that right at checkpoint (but do at restart). It
> should just be:
>
> if (!ckpt_subtree_allowed && !capable(CAP_SYS_ADMIN))
> return -EPERM;
>
> for both.
>
> As for making it two sysctls, I don't really care. Fine by me...
Hmm, no... I think you've clarified this for me.
There's no need for a sysctl disallowing the CHECKPOINT_SUBTREE
flag. There should just be a unprivileged_checkpoint sysctl
determining whether CAP_SYS_ADMIN is always needed. Then
the optional CHECKPOINT_SUBTREE is always allowed.
That makes much more sense. Thanks, Nathan.
-serge
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list