[2/3] seccomp: Move changed ptrace flags setup after creds

Submitted by Dmitry Safonov on May 16, 2018, 1:33 a.m.

Details

Message ID CAJwJo6ZVuBWZMR6qZiaktYj+5XpN-9SDm=T6jnoaF3Wi9d85Qw@mail.gmail.com
State Accepted
Series "seccomp: A few fixes on top of criu-dev"
Headers show

Commit Message

Dmitry Safonov May 16, 2018, 1:33 a.m.
2018-05-15 9:12 GMT+01:00 Cyrill Gorcunov <gorcunov@gmail.com>:
> Credential commitment affects dumpable and pdeath signals
> so we have to move their restore after the restore_creds,
> just like we have in __export_restore_task (ie for
> group leader).
>
> https://jira.sw.ru/browse/PSBM-84198
>
> Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>

Ack,
Fixes: s390
Please, pay attention to Andrey comment about goto core_restore_end
in "[PATCH 08/10] seccomp: Dont forget to suspend filtering on threads"

Also, it might be worth to update:


Thanks,
             Dmitry

Patch hide | download patch | download mbox

--- a/criu/include/restorer.h
+++ b/criu/include/restorer.h
@@ -282,7 +282,7 @@  enum {
         * almost ready and what's left is:
         *   pick up zombies and helpers
         *   restore sigchild handlers used to detect restore errors
-        *   restore credentials
+        *   restore credentials, seccomp, dumpable and pdeath_sig
         */
        CR_STATE_RESTORE,
        /*
@@ -297,6 +297,8 @@  enum {
         * credentials are restored. Otherwise someone can attach to a
         * process, which are not restored credentials yet and execute
         * some code.
+        * Seccomp needs to be restored after creds.
+        * Dumpable and pdeath signal are restored after seccomp.
         */
        CR_STATE_RESTORE_CREDS,
        CR_STATE_COMPLETE