Serge - The 'creator' makes the 'struct user' recursive because to save an object you need to first save its creator etc. However the implementation may not call checkpoint_obj() recursively, if the depth isn't bound a-priory. You probably need to convert checkpoint_write_user() to do an iterative (loop) implementation of the recursion... Oren. Serge E. Hallyn wrote: > This patch adds the checkpointing and restart of credentials > (uids, gids, and capabilities) to Oren's c/r patchset (on top > of v14). It goes to great pains to re-use (and define when > needed) common helpers, in order to make sure that as security > code is modified, the cr code will be updated. Some of the > helpers should still be moved (i.e. _creds() functions should > be in kernel/cred.c). > > When building the credentials for the restarted process, I > 1. create a new struct cred as a copy of the running task's > cred (using prepare_cred()) > 2. always authorize any changes to the new struct cred > based on the permissions of current_cred() (not the current > transient state of the new cred). > > While this may mean that certain transient_cred1->transient_cred2 > states are allowed which otherwise wouldn't be allowed, the > fact remains that current_cred() is allowed to transition to > transient_cred2. > > The reconstructed creds are applied to the task at the very > end of the sys_restart call. This ensures that any objects which > need to be re-created (file, socket, etc) are re-created using > the creds of the task calling sys_restart - preventing an unpriv > user from creating a privileged object, and ensuring that a > root task can restart a process which had started out privileged, > created some privileged objects, then dropped its privilege. > > With these patches, the root user can restart checkpoint images > (created by either hallyn or root) of user hallyn's tasks, > resulting in a program owned by hallyn. > > Plenty of bugs to be found, no doubt. > > Changelog: > May 18: fix more refcounting: if (userns 5, uid 0) had > no active tasks or child user_namespaces, then > it shouldn't exist at restart or it, its namespace, > and its whole chain of creators will be leaked. > May 14: fix some refcounting: > 1. a new user_ns needs a ref to remain pinned > by its root user > 2. current_user_ns needs an extra ref bc objhash > drops two on restart > 3. cred needs a ref for the real credentials bc > commit_creds eats one ref. > May 13: folded in fix to userns refcounting. > > Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx> [...] _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
