Quoting Alexey Dobriyan (adobriyan@xxxxxxxxx): > On Tue, May 26, 2009 at 12:33:54PM -0500, Serge E. Hallyn wrote: > > +struct ckpt_hdr_cred { > > + struct ckpt_hdr h; > > + __u32 version; /* especially since capability sets might grow */ > > Oh, no. Image version should be incremented. Why? The format hasn't changed since my last set I don't think... Oh, I added the padding. Thanks. I have to bump it again for the next set (hopefully out today or tomorrow) as it adds securebits. (And hopefully a first stab at LSM, though it's not looking likely) > > + __u32 uid, suid, euid, fsuid; > > + __u32 gid, sgid, egid, fsgid; > > + __u64 cap_i, cap_p, cap_e; > > + __u64 cap_x; /* bounding set ('X') */ > > + __s32 user_ref; > > + __s32 groupinfo_ref; > > + __u32 padding; > > +} __attribute__((aligned(8))); > > + > > +struct ckpt_hdr_groupinfo { > > + struct ckpt_hdr h; > > + __u32 ngroups; > > + /* > > + * This is followed by ngroups __u32s > > + */ > > + __u32 groups[0]; > > +} __attribute__((aligned(8))); > > > --- a/include/linux/sched.h > > +++ b/include/linux/sched.h > > @@ -1871,6 +1871,12 @@ static inline struct user_struct *get_uid(struct user_struct *u) > > extern void free_uid(struct user_struct *); > > extern void release_uids(struct user_namespace *ns); > > > > +#ifdef CONFIG_CHECKPOINT > > +struct ckpt_ctx; > > +int checkpoint_write_user(struct ckpt_ctx *, struct user_struct *); > > +struct user_struct *restore_read_user(struct ckpt_ctx *); > > +#endif > > I'll rip credential stuff from sched.h, better not add more. Yeah I'll move this in cred.h. ... > > +#define CKPT_MAXGROUPS 100 > > +#define MAX_GROUPINFO_SIZE (sizeof(*h)+CKPT_MAXGROUPS*sizeof(gid_t)) > > +struct group_info *restore_read_groupinfo(struct ckpt_ctx *ctx) > > +{ > > + struct group_info *g; > > + struct ckpt_hdr_groupinfo *h; > > + int i; > > + > > + h = ckpt_read_buf_type(ctx, MAX_GROUPINFO_SIZE, CKPT_HDR_GROUPINFO); > > + if (IS_ERR(h)) > > + return ERR_PTR(PTR_ERR(h)); > > + if (h->ngroups > CKPT_MAXGROUPS) { > > + g = ERR_PTR(-EINVAL); > > + goto out; > > + } > > + g = groups_alloc(h->ngroups); > > + if (!g) { > > + g = ERR_PTR(-ENOMEM); > > + goto out; > > + } > > + for (i = 0; i < h->ngroups; i++) > > + GROUP_AT(g, i) = h->groups[i]; > > + > > +out: > > + ckpt_hdr_put(ctx, h); > > + return g; > > +} > > No checks, that groups in image are a) sorted, b) ->ngroups is compatible > with object image. Thanks, will fix. So I'd like to suggest that we take the pieces that we can both use (the code in groups.c, cred.c, security/security.c, and capabilities) and get it identical between both versions. But we would need to find a way to ignore API differences for reading and writing the checkpoint file. BTW I have some credentials (users, user namespaces, and securebits) testcases under cr_tests/userns/ in git://git.sr71.net/~hallyn/cr_tests.git. Maybe you can reuse some of that for your own testing. thanks, -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers