[10/28] seccomp: images, core -- Move seccomp data into per-thread origin

Submitted by Cyrill Gorcunov on March 20, 2018, 9:42 p.m.

Details

Message ID 20180320214313.25326-11-gorcunov@gmail.com
State Rejected
Series "seccomp, v2: Add support for per-thread tracking"
Headers show

Commit Message

Cyrill Gorcunov March 20, 2018, 9:42 p.m.
From: Cyrill Gorcunov <gorcunov@virtuozzo.com>

Signed-off-by: Cyrill Gorcunov <gorcunov@virtuozzo.com>
---
 criu/cr-dump.c        | 11 +++++++----
 criu/cr-restore.c     | 20 +++++++++++++++++---
 criu/include/pstree.h |  1 +
 criu/pstree.c         | 12 ++++++++++++
 criu/seccomp.c        |  8 ++++----
 images/core.proto     |  8 ++++++--
 6 files changed, 47 insertions(+), 13 deletions(-)

Patch hide | download patch | download mbox

diff --git a/criu/cr-dump.c b/criu/cr-dump.c
index 7a2a5fa6e51e..3bc07e6c5cf3 100644
--- a/criu/cr-dump.c
+++ b/criu/cr-dump.c
@@ -766,13 +766,16 @@  static int dump_task_core_all(struct parasite_ctl *ctl,
 	}
 
 	if (entry->mode != SECCOMP_MODE_DISABLED) {
+		ThreadCoreEntry *thread_core = pstree_thread_core(item, pid);
+		BUG_ON(!thread_core);
+
 		pr_info("got seccomp mode %d for %d\n", entry->mode, vpid(item));
-		core->tc->has_seccomp_mode = true;
-		core->tc->seccomp_mode = entry->mode;
+		thread_core->has_seccomp_mode = true;
+		thread_core->seccomp_mode = entry->mode;
 
 		if (entry->mode == SECCOMP_MODE_FILTER) {
-			core->tc->has_seccomp_filter = true;
-			core->tc->seccomp_filter = dmpi(item)->last_filter;
+			thread_core->has_seccomp_filter = true;
+			thread_core->seccomp_filter = dmpi(item)->last_filter;
 		}
 	}
 
diff --git a/criu/cr-restore.c b/criu/cr-restore.c
index db913b2dae2e..b9f8de5e82b1 100644
--- a/criu/cr-restore.c
+++ b/criu/cr-restore.c
@@ -1236,6 +1236,20 @@  static int check_core(CoreEntry *core, struct pstree_item *me)
 			pr_err("Core info data missed for non-zombie\n");
 			goto out;
 		}
+
+		/*
+		 * Seccomp are moved to per-thread origin,
+		 * so for old images we need to move per-task
+		 * data into proper place.
+		 */
+		if (core->tc->has_old_seccomp_mode) {
+			core->thread_core->has_seccomp_mode = core->tc->has_old_seccomp_mode;
+			core->thread_core->seccomp_mode = core->tc->old_seccomp_mode;
+		}
+		if (core->tc->has_old_seccomp_filter) {
+			core->thread_core->has_seccomp_filter = core->tc->has_old_seccomp_filter;
+			core->thread_core->seccomp_filter = core->tc->old_seccomp_filter;
+		}
 	}
 
 	ret = 0;
@@ -1505,7 +1519,7 @@  static inline int fork_with_pid(struct pstree_item *item)
 		item->pid->state = ca.core->tc->task_state;
 		rsti(item)->cg_set = ca.core->tc->cg_set;
 
-		rsti(item)->has_seccomp = ca.core->tc->seccomp_mode != SECCOMP_MODE_DISABLED;
+		rsti(item)->has_seccomp = ca.core->thread_core->seccomp_mode != SECCOMP_MODE_DISABLED;
 
 		if (item->pid->state != TASK_DEAD && !task_alive(item)) {
 			pr_err("Unknown task state %d\n", item->pid->state);
@@ -3657,8 +3671,8 @@  static int sigreturn_restore(pid_t pid, struct task_restore_args *task_args, uns
 	RST_MEM_FIXUP_PPTR(task_args->seccomp_filters);
 	RST_MEM_FIXUP_PPTR(task_args->vma_ios);
 
-	if (core->tc->has_seccomp_mode)
-		task_args->seccomp_mode = core->tc->seccomp_mode;
+	if (core->thread_core->has_seccomp_mode)
+		task_args->seccomp_mode = core->thread_core->seccomp_mode;
 
 	task_args->compatible_mode = core_is_compat(core);
 
diff --git a/criu/include/pstree.h b/criu/include/pstree.h
index ad67eb07e799..e7922cfaa5b9 100644
--- a/criu/include/pstree.h
+++ b/criu/include/pstree.h
@@ -141,6 +141,7 @@  extern struct _TaskKobjIdsEntry *root_ids;
 
 extern void core_entry_free(CoreEntry *core);
 extern CoreEntry *core_entry_alloc(int alloc_thread_info, int alloc_tc);
+extern ThreadCoreEntry *pstree_thread_core(const struct pstree_item *item, pid_t pid);
 extern int pstree_alloc_cores(struct pstree_item *item);
 extern void pstree_free_cores(struct pstree_item *item);
 
diff --git a/criu/pstree.c b/criu/pstree.c
index 3b802a64a419..cd887418c80b 100644
--- a/criu/pstree.c
+++ b/criu/pstree.c
@@ -139,6 +139,18 @@  CoreEntry *core_entry_alloc(int th, int tsk)
 	return core;
 }
 
+ThreadCoreEntry *pstree_thread_core(const struct pstree_item *item, pid_t pid)
+{
+	unsigned int i;
+
+	for (i = 0; i < item->nr_threads; i++) {
+		if (item->threads[i]->real == pid)
+			return item->core[i]->thread_core;
+	}
+
+	return NULL;
+}
+
 int pstree_alloc_cores(struct pstree_item *item)
 {
 	unsigned int i;
diff --git a/criu/seccomp.c b/criu/seccomp.c
index 849f972dd834..1f525633d3c2 100644
--- a/criu/seccomp.c
+++ b/criu/seccomp.c
@@ -300,13 +300,13 @@  int seccomp_filters_get_rst_pos(CoreEntry *core, struct task_restore_args *ta)
 
 	ta->seccomp_filters_n = 0;
 
-	if (!core->tc->has_seccomp_filter)
+	if (!core->thread_core->has_seccomp_filter)
 		return 0;
 
 	ta->seccomp_filters = (struct sock_fprog *)rst_mem_align_cpos(RM_PRIVATE);
 
-	BUG_ON(core->tc->seccomp_filter > se->n_seccomp_filters);
-	sf = se->seccomp_filters[core->tc->seccomp_filter];
+	BUG_ON(core->thread_core->seccomp_filter > se->n_seccomp_filters);
+	sf = se->seccomp_filters[core->thread_core->seccomp_filter];
 
 	while (1) {
 		ta->seccomp_filters_n++;
@@ -324,7 +324,7 @@  int seccomp_filters_get_rst_pos(CoreEntry *core, struct task_restore_args *ta)
 		goto out;
 
 	filter_data = &arr[n_filters];
-	sf = se->seccomp_filters[core->tc->seccomp_filter];
+	sf = se->seccomp_filters[core->thread_core->seccomp_filter];
 	for (i = 0; i < n_filters; i++) {
 		struct sock_fprog *fprog = &arr[i];
 
diff --git a/images/core.proto b/images/core.proto
index 0291fae68ea8..726803646444 100644
--- a/images/core.proto
+++ b/images/core.proto
@@ -40,8 +40,9 @@  message task_core_entry {
 
 	optional signal_queue_entry	signals_s	= 10;
 
-	optional seccomp_mode		seccomp_mode	= 11;
-	optional uint32			seccomp_filter	= 12;
+	/* These two are deprecated, should be per-thread */
+	optional seccomp_mode	old_seccomp_mode	= 11;
+	optional uint32		old_seccomp_filter	= 12;
 
 	optional uint32			loginuid	= 13;
 
@@ -87,6 +88,9 @@  message thread_core_entry {
 
 	optional signal_queue_entry	signals_p	= 9;
 	optional creds_entry		creds		= 10;
+
+	optional seccomp_mode		seccomp_mode	= 11;
+	optional uint32			seccomp_filter	= 12;
 }
 
 message task_rlimits_entry {