On Fri, May 22, 2020 at 09:40:37AM -0700, Casey Schaufler wrote: > On 5/21/2020 10:53 PM, Adrian Reber wrote: > > There are probably a few more things guarded by CAP_SYS_ADMIN required > > to run checkpoint/restore as non-root, > > If you need CAP_SYS_ADMIN anyway you're not gaining anything by > separating out CAP_RESTORE. > > > but by applying this patch I can > > already checkpoint and restore processes as non-root. As there are > > already multiple workarounds I would prefer to do it correctly in the > > kernel to avoid that CRIU users are starting to invent more workarounds. > > You've presented a couple of really inappropriate implementations > that would qualify as workarounds. But the other two are completely > appropriate within the system security policy. They don't "get around" > the problem, they use existing mechanisms as they are intended. > With CAP_CHECKPOINT_RESTORE, we will need to use the same mechanisms. The problem is that CAP_SYS_ADMIN is too wide. If a process has CAP_SYS_ADMIN, it can do a lot of things and the operation of forking a process with a specified pid isn't the most dangerous one in this case. Offten security policies don't allow to grant CAP_SYS_ADMIN to any third-party tools even in non-root user namespaces.
