In vzctl/libvzctl bundle we restore container like - create ve/$ctid cgroup - move self into this cgroup - run criu from inside
So that kernel code passes ve_can_attach test. In turn for our P.Haul project (which is managing live migration) the situation is different -- it opens ve/$ctid but moves criu service pid instead (so that the service will start restore procedure). Which leads to situation where ve_can_attach fails with -EINVAL. Reported-by: Nikita Spiridonov <nspirido...@odin.com> Signed-off-by: Cyrill Gorcunov <gorcu...@odin.com> CC: Vladimir Davydov <vdavy...@odin.com> CC: Konstantin Khorenko <khore...@odin.com> CC: Pavel Emelyanov <xe...@odin.com> CC: Andrey Vagin <ava...@odin.com> --- Guys, could you please take a look, especially from security POV, is it safe to remove all these checks? kernel/ve/ve.c | 31 +++++++++++++------------------ 1 file changed, 13 insertions(+), 18 deletions(-) Index: linux-pcs7.git/kernel/ve/ve.c =================================================================== --- linux-pcs7.git.orig/kernel/ve/ve.c +++ linux-pcs7.git/kernel/ve/ve.c @@ -750,13 +750,6 @@ static void ve_destroy(struct cgroup *cg static int ve_can_attach(struct cgroup *cg, struct cgroup_taskset *tset) { struct ve_struct *ve = cgroup_ve(cg); - struct task_struct *task = current; - - if (cgroup_taskset_size(tset) != 1 || - cgroup_taskset_first(tset) != task || - !thread_group_leader(task) || - !thread_group_empty(task)) - return -EINVAL; if (ve->is_locked) return -EBUSY; @@ -775,20 +768,22 @@ static int ve_can_attach(struct cgroup * static void ve_attach(struct cgroup *cg, struct cgroup_taskset *tset) { struct ve_struct *ve = cgroup_ve(cg); - struct task_struct *tsk = current; - - /* this probihibts ptracing of task entered to VE from host system */ - if (ve->is_running && tsk->mm) - tsk->mm->vps_dumpable = VD_VE_ENTER_TASK; + struct task_struct *tsk; - /* Drop OOM protection. */ - tsk->signal->oom_score_adj = 0; - tsk->signal->oom_score_adj_min = 0; + cgroup_taskset_for_each(tsk, cg, tset) { + /* this probihibts ptracing of task entered to VE from host system */ + if (ve->is_running && tsk->mm) + tsk->mm->vps_dumpable = VD_VE_ENTER_TASK; + + /* Drop OOM protection. */ + tsk->signal->oom_score_adj = 0; + tsk->signal->oom_score_adj_min = 0; - /* Leave parent exec domain */ - tsk->parent_exec_id--; + /* Leave parent exec domain */ + tsk->parent_exec_id--; - tsk->task_ve = ve; + tsk->task_ve = ve; + } } static int ve_state_read(struct cgroup *cg, struct cftype *cft, _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel