[v2,22/30] user_ns: Prepare creds of newly created task

Submitted by Kirill Tkhai on June 7, 2017, 11:29 a.m.

Details

Message ID 149683497246.4663.13305155705894742549.stgit@localhost.localdomain
State Accepted
Series "Support sockets leaked to child user_ns task"
Commit 8c30fb6e0faf253e2d79f632ad33e7b339987f27
Headers show

Commit Message

Kirill Tkhai June 7, 2017, 11:29 a.m.
Sockets are sent via SCM_CREDENTIALS, and this kernel interface
needs to have uid and gid mapped (see __scm_send() in kernel).
So, set them before send_fds() use.

Also, move prep_usernsd_transport() below to be after this
for uniformity.

v2: New

Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
---
 criu/cr-restore.c |   14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

Patch hide | download patch | download mbox

diff --git a/criu/cr-restore.c b/criu/cr-restore.c
index 6c6484e67..298fb693a 100644
--- a/criu/cr-restore.c
+++ b/criu/cr-restore.c
@@ -1265,6 +1265,11 @@  static void maybe_clone_parent(struct pstree_item *item,
 	}
 }
 
+static bool needs_prep_creds(struct pstree_item *item)
+{
+	struct pstree_item *parent = item->parent;
+	return (!parent || parent->ids->user_ns_id != item->ids->user_ns_id);
+}
 static int call_clone_fn(void *arg)
 {
 	struct cr_clone_arg *ca = arg;
@@ -1732,11 +1737,11 @@  static int restore_task_with_children(void *_arg)
 		/* Wait prepare_userns */
 		if (restore_finish_ns_stage(CR_STATE_ROOT_TASK, CR_STATE_PREPARE_NAMESPACES) < 0)
 			goto err;
-
-		if (prep_usernsd_transport())
-			goto err;
 	}
 
+	if (needs_prep_creds(current) && (prepare_userns_creds()))
+		goto err;
+
 	/*
 	 * Call this _before_ forking to optimize cgroups
 	 * restore -- if all tasks live in one set of cgroups
@@ -1748,6 +1753,9 @@  static int restore_task_with_children(void *_arg)
 
 	/* Restore root task */
 	if (current->parent == NULL) {
+		if (prep_usernsd_transport())
+			goto err;
+
 		if (join_namespaces()) {
 			pr_perror("Join namespaces failed");
 			goto err;