On Thu, Jan 26, 2023 at 01:30:08AM +0100, Oleg Nesterov wrote: > On 01/24, Gregory Price wrote: > > > > Adds PTRACE_O_SUSPEND_SYSCALL_USER_DISPATCH to ptrace options, and > > modify Syscall User Dispatch to suspend interception when enabled. > > > > This is modeled after the SUSPEND_SECCOMP feature, which suspends > > SECCOMP interposition. Without doing this, software like CRIU will > > inject system calls into a process and be intercepted by Syscall > > User Dispatch, either causing a crash (due to blocked signals) or > > the delivery of those signals to a ptracer (not the intended behavior). > > Cough... Gregory, I am sorry ;) > > but can't we drop this patch to ? > > CRIU needs to do PTRACE_SET_SYSCALL_USER_DISPATCH_CONFIG and check > config->mode anyway as we discussed. > > Then it can simply set *config->selector = SYSCALL_DISPATCH_FILTER_ALLOW > with the same effect, no? > > Oleg. > The selector is optional, but the core idea seems reasonable. Though I think this complicates the quiesce vs checkpoint phases a bit. My best understanding of CRIU is there are (at least) two checkpoint phases: quiesce and checkpoint. The intent of patch 1/2 is to aid the quiesce phase, not the checkpoint phase. In both phases the `compel` code is used to inject system calls, so turning SUD off is required. That can obviously be achieved via saving with get_config, and just clearing it entirely with set_config. I'm NOT sure whether the `compel` code can save settings that the `cr-check` code then saves to disc, or if `compel` is standalone. I will go check this and report back. The only other concern is one of how it's restored, and in what order compared to SECCOMP - for the absolute insane case of someone running a SUD task inside a locked down cgroup? Technically possible (TM)! We may find that the suspend flag is "just easier" but not required. I do think more-simple-is-more-better, though, so I will investigate. ~Gregory
