[Devel] Re: [PATCH 6/8] cr: checkpoint and restore task credentials
Serge E. Hallyn
serge at hallyn.com
Thu May 28 07:01:10 PDT 2009
Quoting Alexey Dobriyan (adobriyan at gmail.com):
> On Tue, May 26, 2009 at 12:33:54PM -0500, Serge E. Hallyn wrote:
> > +struct ckpt_hdr_cred {
> > + struct ckpt_hdr h;
> > + __u32 version; /* especially since capability sets might grow */
>
> Oh, no. Image version should be incremented.
Why? The format hasn't changed since my last set I don't think...
Oh, I added the padding. Thanks. I have to bump it again for the
next set (hopefully out today or tomorrow) as it adds securebits.
(And hopefully a first stab at LSM, though it's not looking
likely)
> > + __u32 uid, suid, euid, fsuid;
> > + __u32 gid, sgid, egid, fsgid;
> > + __u64 cap_i, cap_p, cap_e;
> > + __u64 cap_x; /* bounding set ('X') */
> > + __s32 user_ref;
> > + __s32 groupinfo_ref;
> > + __u32 padding;
> > +} __attribute__((aligned(8)));
> > +
> > +struct ckpt_hdr_groupinfo {
> > + struct ckpt_hdr h;
> > + __u32 ngroups;
> > + /*
> > + * This is followed by ngroups __u32s
> > + */
> > + __u32 groups[0];
> > +} __attribute__((aligned(8)));
>
> > --- a/include/linux/sched.h
> > +++ b/include/linux/sched.h
> > @@ -1871,6 +1871,12 @@ static inline struct user_struct *get_uid(struct user_struct *u)
> > extern void free_uid(struct user_struct *);
> > extern void release_uids(struct user_namespace *ns);
> >
> > +#ifdef CONFIG_CHECKPOINT
> > +struct ckpt_ctx;
> > +int checkpoint_write_user(struct ckpt_ctx *, struct user_struct *);
> > +struct user_struct *restore_read_user(struct ckpt_ctx *);
> > +#endif
>
> I'll rip credential stuff from sched.h, better not add more.
Yeah I'll move this in cred.h.
...
> > +#define CKPT_MAXGROUPS 100
> > +#define MAX_GROUPINFO_SIZE (sizeof(*h)+CKPT_MAXGROUPS*sizeof(gid_t))
> > +struct group_info *restore_read_groupinfo(struct ckpt_ctx *ctx)
> > +{
> > + struct group_info *g;
> > + struct ckpt_hdr_groupinfo *h;
> > + int i;
> > +
> > + h = ckpt_read_buf_type(ctx, MAX_GROUPINFO_SIZE, CKPT_HDR_GROUPINFO);
> > + if (IS_ERR(h))
> > + return ERR_PTR(PTR_ERR(h));
> > + if (h->ngroups > CKPT_MAXGROUPS) {
> > + g = ERR_PTR(-EINVAL);
> > + goto out;
> > + }
> > + g = groups_alloc(h->ngroups);
> > + if (!g) {
> > + g = ERR_PTR(-ENOMEM);
> > + goto out;
> > + }
> > + for (i = 0; i < h->ngroups; i++)
> > + GROUP_AT(g, i) = h->groups[i];
> > +
> > +out:
> > + ckpt_hdr_put(ctx, h);
> > + return g;
> > +}
>
> No checks, that groups in image are a) sorted, b) ->ngroups is compatible
> with object image.
Thanks, will fix.
So I'd like to suggest that we take the pieces that we can both use
(the code in groups.c, cred.c, security/security.c, and capabilities)
and get it identical between both versions. But we would need to
find a way to ignore API differences for reading and writing the
checkpoint file.
BTW I have some credentials (users, user namespaces, and securebits)
testcases under cr_tests/userns/ in git://git.sr71.net/~hallyn/cr_tests.git.
Maybe you can reuse some of that for your own testing.
thanks,
-serge
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list