[08/28] seccomp: Drop pi_creds from dmp_info

Submitted by Cyrill Gorcunov on March 20, 2018, 9:42 p.m.

Details

Message ID 20180320214313.25326-9-gorcunov@gmail.com
State Rejected
Series "seccomp, v2: Add support for per-thread tracking"
Headers show

Commit Message

Cyrill Gorcunov March 20, 2018, 9:42 p.m.
From: Cyrill Gorcunov <gorcunov@virtuozzo.com>

No longer needed. Because of this we don't
need to allocate this entry dynamically.

Also creds_dumpable no longer needed because
the only thing we need to check is seccomp mode.

Signed-off-by: Cyrill Gorcunov <gorcunov@virtuozzo.com>
---
 criu/cr-dump.c        | 19 ++++++++-----
 criu/include/pstree.h |  2 +-
 criu/seccomp.c        |  4 +--
 criu/seize.c          | 77 ++++++++++++---------------------------------------
 4 files changed, 32 insertions(+), 70 deletions(-)

Patch hide | download patch | download mbox

diff --git a/criu/cr-dump.c b/criu/cr-dump.c
index 094d016489ea..7a2a5fa6e51e 100644
--- a/criu/cr-dump.c
+++ b/criu/cr-dump.c
@@ -746,7 +746,7 @@  static int dump_task_core_all(struct parasite_ctl *ctl,
 	CoreEntry *core = item->core[0];
 	pid_t pid = item->pid->real;
 	int ret = -1;
-	struct proc_status_creds *creds;
+	struct seccomp_entry *entry;
 	struct parasite_dump_cgroup_args cgroup_args, *info = NULL;
 
 	BUILD_BUG_ON(sizeof(cgroup_args) < PARASITE_ARG_SIZE_MIN);
@@ -759,15 +759,20 @@  static int dump_task_core_all(struct parasite_ctl *ctl,
 	if (ret < 0)
 		goto err;
 
-	creds = dmpi(item)->pi_creds;
-	if (creds->s.seccomp_mode != SECCOMP_MODE_DISABLED) {
-		pr_info("got seccomp mode %d for %d\n", creds->s.seccomp_mode, vpid(item));
+	entry = seccomp_find_entry(item, pid);
+	if (!entry) {
+		ret = -1;
+		goto err;
+	}
+
+	if (entry->mode != SECCOMP_MODE_DISABLED) {
+		pr_info("got seccomp mode %d for %d\n", entry->mode, vpid(item));
 		core->tc->has_seccomp_mode = true;
-		core->tc->seccomp_mode = creds->s.seccomp_mode;
+		core->tc->seccomp_mode = entry->mode;
 
-		if (creds->s.seccomp_mode == SECCOMP_MODE_FILTER) {
+		if (entry->mode == SECCOMP_MODE_FILTER) {
 			core->tc->has_seccomp_filter = true;
-			core->tc->seccomp_filter = creds->last_filter;
+			core->tc->seccomp_filter = dmpi(item)->last_filter;
 		}
 	}
 
diff --git a/criu/include/pstree.h b/criu/include/pstree.h
index c223238b6be2..ad67eb07e799 100644
--- a/criu/include/pstree.h
+++ b/criu/include/pstree.h
@@ -62,7 +62,7 @@  struct dmp_info {
 	struct ns_id *netns;
 	struct seccomp_entry *seccomp_entry;
 	size_t nr_seccomp_entry;
-	struct proc_status_creds *pi_creds;
+	unsigned int last_filter;
 	struct page_pipe *mem_pp;
 	struct parasite_ctl *parasite_ctl;
 };
diff --git a/criu/seccomp.c b/criu/seccomp.c
index 90a708117390..00a1a94656b7 100644
--- a/criu/seccomp.c
+++ b/criu/seccomp.c
@@ -139,7 +139,7 @@  static int collect_filter_for_pstree(struct pstree_item *item)
 			}
 		}
 
-		last_filter = dmpi(item->parent)->pi_creds->last_filter;
+		last_filter = dmpi(item->parent)->last_filter;
 		inherited = find_inherited(last_filter, buf, len, meta);
 		if (inherited) {
 			bool found = false;
@@ -200,7 +200,7 @@  static int collect_filter_for_pstree(struct pstree_item *item)
 
 	next_filter_id += info_count;
 
-	dmpi(item)->pi_creds->last_filter = infos->id;
+	dmpi(item)->last_filter = infos->id;
 
 	/* Don't free the part of the tree we just successfully acquired */
 	infos = NULL;
diff --git a/criu/seize.c b/criu/seize.c
index 722ffc5bb79a..2223ab27e362 100644
--- a/criu/seize.c
+++ b/criu/seize.c
@@ -464,7 +464,7 @@  static int collect_children(struct pstree_item *item)
 	nr_inprogress = 0;
 	for (i = 0; i < nr_children; i++) {
 		struct pstree_item *c;
-		struct proc_status_creds *creds;
+		struct proc_status_creds creds;
 		pid_t pid = ch[i];
 
 		/* Is it already frozen? */
@@ -490,13 +490,7 @@  static int collect_children(struct pstree_item *item)
 			/* fails when meets a zombie */
 			compel_interrupt_task(pid);
 
-		creds = xzalloc(sizeof(*creds));
-		if (!creds) {
-			ret = -1;
-			goto free;
-		}
-
-		ret = compel_wait_task(pid, item->pid->real, parse_task_status, NULL, &creds->s, c);
+		ret = compel_wait_task(pid, item->pid->real, parse_task_status, NULL, &creds.s, c);
 		if (ret < 0) {
 			/*
 			 * Here is a race window between parse_children() and seize(),
@@ -507,7 +501,6 @@  static int collect_children(struct pstree_item *item)
 			 */
 			ret = 0;
 			free_pstree_item(c);
-			xfree(creds);
 			continue;
 		}
 
@@ -516,13 +509,12 @@  static int collect_children(struct pstree_item *item)
 		else
 			processes_to_wait--;
 
-		dmpi(c)->pi_creds = creds;
 		c->pid->real = pid;
 		c->parent = item;
 		c->pid->state = ret;
 		list_add_tail(&c->sibling, &item->children);
 
-		ret = seccomp_collect_entry(c, pid, creds->s.seccomp_mode);
+		ret = seccomp_collect_entry(c, pid, creds.s.seccomp_mode);
 		if (ret < 0)
 			goto free;
 
@@ -636,46 +628,6 @@  static inline bool thread_collected(struct pstree_item *i, pid_t tid)
 	return false;
 }
 
-static bool creds_dumpable(struct proc_status_creds *parent,
-				struct proc_status_creds *child)
-{
-	/*
-	 *  - seccomp filters should be passed via
-	 *    semantic comparison (FIXME) but for
-	 *    now we require them to be exactly
-	 *    identical
-	 */
-	if (parent->s.seccomp_mode != child->s.seccomp_mode ||
-	    parent->last_filter != child->last_filter) {
-		if (!pr_quelled(LOG_DEBUG)) {
-			pr_debug("Creds undumpable (parent:child)\n"
-				 "  uids:               %d:%d %d:%d %d:%d %d:%d\n"
-				 "  gids:               %d:%d %d:%d %d:%d %d:%d\n"
-				 "  state:              %d:%d"
-				 "  ppid:               %d:%d\n"
-				 "  shdpnd:             %llu:%llu\n"
-				 "  seccomp_mode:       %d:%d\n"
-				 "  last_filter:        %u:%u\n",
-				 parent->uids[0], child->uids[0],
-				 parent->uids[1], child->uids[1],
-				 parent->uids[2], child->uids[2],
-				 parent->uids[3], child->uids[3],
-				 parent->gids[0], child->gids[0],
-				 parent->gids[1], child->gids[1],
-				 parent->gids[2], child->gids[2],
-				 parent->gids[3], child->gids[3],
-				 parent->s.state, child->s.state,
-				 parent->s.ppid, child->s.ppid,
-				 parent->s.shdpnd, child->s.shdpnd,
-				 parent->s.seccomp_mode, child->s.seccomp_mode,
-				 parent->last_filter, child->last_filter);
-		}
-		return false;
-	}
-
-	return true;
-}
-
 static int parse_thread_status(int pid, struct seize_task_status *ss, void *thread)
 {
 	return parse_pid_status(pid, ss, NULL, thread);
@@ -683,10 +635,15 @@  static int parse_thread_status(int pid, struct seize_task_status *ss, void *thre
 
 static int collect_threads(struct pstree_item *item)
 {
+	struct seccomp_entry *task_seccomp_entry;
 	struct pid **threads = NULL;
 	int nr_threads = 0, i = 0, j, ret, nr_inprogress, nr_stopped = 0;
 	int level = item->pid->level, id;
 
+	task_seccomp_entry = seccomp_find_entry(item, item->pid->real);
+	if (!task_seccomp_entry)
+		goto err;
+
 	ret = parse_threads(item->pid->real, &threads, &nr_threads);
 	if (ret < 0)
 		goto err;
@@ -770,8 +727,13 @@  static int collect_threads(struct pstree_item *item)
 		if (seccomp_collect_entry(item, pid, t_creds.s.seccomp_mode))
 			goto err;
 
-		if (!creds_dumpable(dmpi(item)->pi_creds, &t_creds))
+		if (task_seccomp_entry->mode != t_creds.s.seccomp_mode) {
+			pr_err("Unsupported seccomp mode change: tids %d %d modes %d %d\n",
+			       item->pid->real, pid,
+			       task_seccomp_entry->mode,
+			       t_creds.s.seccomp_mode);
 			goto err;
+		}
 
 		if (ret == TASK_STOPPED) {
 			nr_stopped++;
@@ -863,7 +825,7 @@  int collect_pstree(void)
 {
 	pid_t pid = root_item->pid->real;
 	int ret = -1;
-	struct proc_status_creds *creds;
+	struct proc_status_creds creds;
 
 	timing_start(TIME_FREEZING);
 
@@ -882,11 +844,7 @@  int collect_pstree(void)
 		goto err;
 	}
 
-	creds = xzalloc(sizeof(*creds));
-	if (!creds)
-		goto err;
-
-	ret = compel_wait_task(pid, -1, parse_task_status, NULL, &creds->s, root_item);
+	ret = compel_wait_task(pid, -1, parse_task_status, NULL, &creds.s, root_item);
 	if (ret < 0)
 		goto err;
 
@@ -897,9 +855,8 @@  int collect_pstree(void)
 
 	pr_info("Seized task %d, state %d\n", pid, ret);
 	root_item->pid->state = ret;
-	dmpi(root_item)->pi_creds = creds;
 
-	ret = seccomp_collect_entry(root_item, pid, creds->s.seccomp_mode);
+	ret = seccomp_collect_entry(root_item, pid, creds.s.seccomp_mode);
 	if (ret < 0)
 		goto err;