On Tue, Jun 02, 2015 at 12:36:16PM +0300, Andrey Wagin wrote: > 2015-06-01 22:28 GMT+03:00 Tycho Andersen <tycho.andersen@xxxxxxxxxxxxx>: > > This patch is the first step in enabling checkpoint/restore of processes > > with seccomp enabled. > > > > One of the things CRIU does while dumping tasks is inject code into them > > via ptrace to collect information that is only available to the process > > itself. However, if we are in a seccomp mode where these processes are > > prohibited from making these syscalls, then what CRIU does kills the task. > > > > This patch adds a new ptrace command, PTRACE_SUSPEND_SECCOMP that enables a > > task from the init user namespace which has CAP_SYS_ADMIN to disable (and > > re-enable) seccomp filters for another task so that they can be > > successfully dumped (and restored). > > Do we need to re-enable seccomp if a tracer detaches unexpectedly. > CRIU can be killed and we should try to not affect the task state even > in this case. Yes, I think Pavel's suggestion on the CRIU list of simply automatically re-enabling seccomp on ptrace detach is the right way to go here; it should cover this case. The only question is whether or not to leave the explicit ability to re-enable seccomp before detach or not. I don't think it's necessary for CRIU, so perhaps I'll remove it in the next version. Tycho -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
