v2:
* add another filter to the chain to test the inheritance chaining check
* include zdtm.py desc file
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
This commit adds basic support for dumping and restoring seccomp filters
via the new ptrace interface. There are two current known limitations with
this approach:
1. This approach doesn't support restoring tasks who first do a seccomp()
and then a setuid(); the test elaborates on this and I don't think it is
tough to do, but it is not done yet.
2. Filters are compared via memcmp(), so two tasks which have the same
parent task and install identical (via memory) filters will have those
filters considered to be the "same". Since we force all tasks to have
the same creds (including seccomp filters) right now, this isn't a
problem.
The approach used here is very similar to the cgroup approach: the actual
filters are stored in a seccomp.img, and each task has an id that points to
the part of the filter tree it needs to restore. This keeps us from dumping
the same filter multiple times, since filters are inherited on fork.
v2:
* remove unused seccomp_filters field from struct rst_info
* rework memory layout for passing filters to restorer blob
* add a sanity check when finding inherited filters
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Otherwise the kernel can set it as a control terminal for the currect
session and CRIU will not be able to set it as a control terminal for
the target process.
Reported-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
It can be the same with a parent one and the helper will inherit all
parent resources.
Now we can dereference item->ids for all task. It's used in
restore_task_mnt_ns, for example.
Reported-by: Mr Jenkins
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
If processes share a file descriptor table, they all have their own set
of service descriptors. close_old_fds() closes all file descriptors
execpt service descriptors
Fixes: 9d60724eca ("restore: restore mntns before creating private vma-s (v3)")
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
close_olds_fds() knows nothing about more than one set of service file
descriptros, so it's better to call it before forking children as it was
bedore 9d60724eca ("restore: restore mntns before creating private vma-s")
The root task restores all processes and pin them with file descriptors,
then a task restores a mount namespace by opening the file descriptor of
the root task via /proc/pid/fd/X.
Reported-by: Mr Jenkins
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
We need to open a file to restore a file mapping and this file
can be from a current mntns.
v2: All namespaces are resotred from the root task and then
other tasks calls setns() to set a proper mntns.
v3: fix comments from Pavel
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
There might be several same terminals opened (say
tty6 or whatever) which gonna look as separate
files but actually pointing to the same tty kernel
instance. Moreover if it's a controlling terminal
we will be trying to restore it as many times as
find non zero sid on a peer.
Instead lets do a simple trick first: choose a leader
from a terminal group and use it only for controlling
terminal restoration.
https://jira.sw.ru/browse/PSBM-40969
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Reviewed-by: Andrew Vagin <avagin@odin.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
open_mountpoint() have to operate in target's mount namespace,
which may differ from root's namespace - root_item->pid.real.
So obtain the correct mount namespace from mount_info and use
it in switch_ns().
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Acked-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
If two ns_flavor.init() are called in parallel then all the os.mkdir()
calls would end up with EEXISTS exception.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
There are tests (e.g. on locks) that can conflict with each other, so
wait for all the other jobs to finish before running such.
v2:
Wait for the excl test to finish before launching more of them.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
zdtm.sh doesn't suppport dependencies. This test uses the ip tool.
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
If the pagemap we read at some point covers two (or more) pagemaps
in parent images, we cannot just call the parent page read for all
those pages. Instead, we must call parent page read with shorter
requests so that it handles its own pagemaps properly.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
On arm
| CC crtools.o
| In file included from arch/arm/include/asm/bitops.h:4:0,
| from arch/arm/include/asm/types.h:9,
| from include/proc_parse.h:5,
| from include/ptrace.h:8,
| from cr-restore.c:27:
| cr-restore.c: In function 'restore_priv_vma_content':
| include/compiler.h:60:17: error: comparison of distinct pointer types lacks a cast [-Werror]
| (void) (&_min1 == &_min2); \
|
Reported-by: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
I'm too lazy to install new tools on all test hosts.
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Grabbed from kernel. Probably worth to gather
all bits manipulators here in future.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
When the VMA being restored is not COW-ed we read pages from images
one-by-one which results in suboptimal pages.img access. Fix this
by reading as many pages from iamge at once as possible withing the
active pagemap and VMA.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
v2: * add a zdtm.py .desc file
* only look to make sure inet addresses match (in particular, don't
match the state)
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Implementing c/r of bridges with slaves shouldn't be too hard (viz. the
comment), but this is all I need to for right now.
v2: remove extra debug statement
v3: * remember to close fd in dump_bridge
* use "known" buffer length and snprintf for spath in dump_bridge
* change brace style
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
