[Devel] Re: [PATCH 1/1] cr: define CHECKPOINT_SUBTREE flag and sysctl

Serge E. Hallyn serge at hallyn.com
Fri Apr 24 19:51:54 PDT 2009


Quoting Serge E. Hallyn (serge at hallyn.com):
> Quoting Nathan Lynch (ntl at pobox.com):
> > "Serge E. Hallyn" <serue at us.ibm.com> writes:
> > > Define a CHECKPOINT_SUBTREE flag for sys_checkpoint() which
> > > says it's ok if the the checkpointed set of tasks are not
> > > a fully isolated container without leaks.
> > >
> > > Define a sysctl 'ckpt_subtree_allowed' which determines
> > > whether subtree checkpoints are ok.  If that sysctl,
> > > ckpt_subtree_allowed, is 0, then the CHECKPOINT_SUBTREE flag
> > > may not be used.  Also, if that sysctl is 0, then both
> > > sys_checkpoint() and sys_restart() always require
> > > CAP_SYS_ADMIN.
> > 
> > Whether subtree checkpoint is allowed and whether non-admin checkpoint
> > is allowed are independent constraints, no?  Should this really be a
> > single flag?
> 
> Well it's not about the flag, it's about the sysctl.  So actually
> I don't have that right at checkpoint (but do at restart).  It
> should just be:
> 
> 	if (!ckpt_subtree_allowed && !capable(CAP_SYS_ADMIN))
> 		return -EPERM;
> 
> for both.
> 
> As for making it two sysctls, I don't really care.  Fine by me...

Hmm, no...  I think you've clarified this for me.

There's no need for a sysctl disallowing the CHECKPOINT_SUBTREE
flag.  There should just be a unprivileged_checkpoint sysctl
determining whether CAP_SYS_ADMIN is always needed.  Then
the optional CHECKPOINT_SUBTREE is always allowed.

That makes much more sense.  Thanks, Nathan.

-serge
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list