Hi Younes,
On 1/17/23 19:03, Younes Manton wrote:
> imachug@xxxxxxxxx testing CRIU noticed that the documentation for
> proc's map_files directory with respect to CAP_CHECKPOINT_RESTORE and
> namespaces appears to be wrong. The text reads:
>
>> since Linux 5.9, the reading process must have
>> either CAP_SYS_ADMIN or CAP_CHECKPOINT_RESTORE in the user
>> namespace where it resides.
>
> The reporter noted that the user actually needs the capabilities in
> the initial user namespace, not in the namespace the process resides
> in. As far as I can tell this appears to be the case.
>
> The text was introduced in 167f94b707148bcd46fe39c7d4ebfada9eed88f6
> and refers to kernel commit 12886f8ab10ce6a09af1d92535d49c81aaa215a8.
>
> The code and message in the kernel commit refer to the initial user namespace.
>
> An example program and shell session verifying the existing behaviour
> follows:
>
> $ uname -r
> 5.15.0-52-generic
>
> $ ./test.sh
> + make rmf
> cc rmf.c -o rmf
> + sudo setcap cap_checkpoint_restore-eip ./rmf
> + ./rmf
> 19582: =
> Can't read map_files/ entry: Operation not permitted
> + sudo setcap cap_checkpoint_restore+eip ./rmf
> + ./rmf
> 19588: cap_checkpoint_restore=ep
> + unshare --user ./rmf
> 19591: cap_checkpoint_restore=ep
> Can't read map_files/ entry: Operation not permitted
>
> $ cat rmf.c
>
> int main(int argc, char **argv)
> {
> DIR *mfd;
> struct dirent *mfe;
> struct stat mfstat;
> int ret;
>
> system("getpcaps $PPID");
>
> chdir("/proc/self/map_files");
> mfd = opendir(".");
> do {
> mfe = readdir(mfd);
> } while (!strcmp(mfe->d_name, ".") || !strcmp(mfe->d_name, ".."));
> if (ret = stat(mfe->d_name, &mfstat))
> perror("Can't read map_files/ entry");
> closedir(mfd);
>
> return ret;
> }
>
> Signed-off-by: Younes Manton <younes.m@xxxxxxxxx>
Thanks a lot for the detailed commit message. And sorry for the delay!
Patch applied.
Cheers,
Alex
> ---
> man5/proc.5 | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/man5/proc.5 b/man5/proc.5
> index 1217cea89..981310562 100644
> --- a/man5/proc.5
> +++ b/man5/proc.5
> @@ -1267,7 +1267,7 @@ since Linux 5.9, the reading process must have either
> .B CAP_SYS_ADMIN
> or
> .B CAP_CHECKPOINT_RESTORE
> -in the user namespace where it resides.
> +in the initial (i.e. root) user namespace.
> .TP
> .IR /proc/ pid /maps
> A file containing the currently mapped memory regions and their access
--
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
