On Mon, Jul 20, 2020 at 01:54:52PM +0200, Christian Brauner wrote:
> On Sun, Jul 19, 2020 at 08:17:30PM +0200, Christian Brauner wrote:
> > On Sun, Jul 19, 2020 at 12:04:10PM +0200, Adrian Reber wrote:
> > > This is v6 of the 'Introduce CAP_CHECKPOINT_RESTORE' patchset.
g exe link")
[6] https://lore.kernel.org/patchwork/patch/697304/
[7] 4d28df6152aa ("prctl: Allow local CAP_SYS_ADMIN changing exe_file")
[8] https://github.com/nviennot/run_as_exe
Signed-off-by: Nicolas Viennot
Signed-off-by: Adrian Reber
---
kernel/sys.c | 11 +++
1 file
From: Nicolas Viennot
This brings consistency with the rest of the prctl() syscall where
-EPERM is returned when failing a capability check.
Signed-off-by: Nicolas Viennot
Signed-off-by: Adrian Reber
---
kernel/sys.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel
Use the newly introduced capability CAP_CHECKPOINT_RESTORE to allow
writing to ns_last_pid.
Signed-off-by: Adrian Reber
Signed-off-by: Nicolas Viennot
Acked-by: Christian Brauner
Reviewed-by: Serge Hallyn
---
kernel/pid_namespace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff
Opening files in /proc/pid/map_files when the current user is
CAP_CHECKPOINT_RESTORE capable in the root namespace is useful for
checkpointing and restoring to recover files that are unreachable via
the file system such as deleted files, or memfd files.
Signed-off-by: Adrian Reber
Signed-off-by
This adds a test that changes its UID, uses capabilities to
get CAP_CHECKPOINT_RESTORE and uses clone3() with set_tid to
create a process with a given PID as non-root.
Signed-off-by: Adrian Reber
---
tools/testing/selftests/clone3/.gitignore | 1 +
tools/testing/selftests/clone3/Makefile
Use the newly introduced capability CAP_CHECKPOINT_RESTORE to allow
using clone3() with set_tid set.
Signed-off-by: Adrian Reber
Signed-off-by: Nicolas Viennot
Acked-by: Christian Brauner
Reviewed-by: Serge Hallyn
---
kernel/pid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff
es -EINVAL to -EPERM
* use kselftest_harness.h infrastructure for test
* replace if (!capable(CAP_SYS_ADMIN) || !capable(CAP_CHECKPOINT_RESTORE))
with if (!checkpoint_restore_ns_capable(&init_user_ns))
Adrian Reber (5):
capabilities: Introduce CAP_CHECKPOINT_REST
or memfd files.
See corresponding selftest for an example with clone3().
Signed-off-by: Adrian Reber
Signed-off-by: Nicolas Viennot
Acked-by: Christian Brauner
Reviewed-by: Serge Hallyn
---
include/linux/capability.h | 6 ++
include/uapi/linux/capability.h | 9 -
s
Opening files in /proc/pid/map_files when the current user is
CAP_CHECKPOINT_RESTORE capable in the root namespace is useful for
checkpointing and restoring to recover files that are unreachable via
the file system such as deleted files, or memfd files.
Signed-off-by: Adrian Reber
Signed-off-by
: Adrian Reber
---
kernel/sys.c | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/kernel/sys.c b/kernel/sys.c
index 00a96746e28a..dd59b9142b1d 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2007,12 +2007,14 @@ static int prctl_set_mm_map(int opt, const void __user
This adds a test that changes its UID, uses capabilities to
get CAP_CHECKPOINT_RESTORE and uses clone3() with set_tid to
create a process with a given PID as non-root.
Signed-off-by: Adrian Reber
Acked-by: Serge Hallyn
---
tools/testing/selftests/clone3/Makefile | 4 +-
.../clone3
Use the newly introduced capability CAP_CHECKPOINT_RESTORE to allow
writing to ns_last_pid.
Signed-off-by: Adrian Reber
Signed-off-by: Nicolas Viennot
---
kernel/pid_namespace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
Use the newly introduced capability CAP_CHECKPOINT_RESTORE to allow
using clone3() with set_tid set.
Signed-off-by: Adrian Reber
Signed-off-by: Nicolas Viennot
---
kernel/pid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/pid.c b/kernel/pid.c
index de9d29c41d77
d
files.
See corresponding selftest for an example with clone3().
Signed-off-by: Adrian Reber
Signed-off-by: Nicolas Viennot
---
include/linux/capability.h | 6 ++
include/uapi/linux/capability.h | 9 -
security/selinux/include/classmap.h | 5 +++--
3 files changed
This is v5 of the 'Introduce CAP_CHECKPOINT_RESTORE' patchset. The
changes to v4 are:
* split into more patches to have the introduction of
CAP_CHECKPOINT_RESTORE and the actual usage in different
patches
* reduce the /proc/self/exe patch to only be about
CAP_CHECKPOINT_RESTO
On Thu, Jul 02, 2020 at 03:53:05PM -0500, Serge E. Hallyn wrote:
> On Wed, Jul 01, 2020 at 08:49:05AM +0200, Adrian Reber wrote:
> > This adds a test that changes its UID, uses capabilities to
> > get CAP_CHECKPOINT_RESTORE and uses clone3() with set_tid to
> > create a proces
On Wed, Jul 01, 2020 at 10:27:08AM +0200, Christian Brauner wrote:
> On Wed, Jul 01, 2020 at 08:49:04AM +0200, Adrian Reber wrote:
> > This patch introduces CAP_CHECKPOINT_RESTORE, a new capability facilitating
> > checkpoint/restore for non-root users.
> >
> > Ov
This adds a test that changes its UID, uses capabilities to
get CAP_CHECKPOINT_RESTORE and uses clone3() with set_tid to
create a process with a given PID as non-root.
Signed-off-by: Adrian Reber
---
tools/testing/selftests/clone3/Makefile | 4 +-
.../clone3
: Adrian Reber
---
include/linux/lsm_hook_defs.h | 1 +
include/linux/security.h | 6 ++
kernel/sys.c | 12
security/commoncap.c | 26 ++
security/security.c | 5 +
security/selinux/hooks.c | 14
d
files.
See corresponding selftest for an example with clone3().
Signed-off-by: Adrian Reber
Signed-off-by: Nicolas Viennot
---
fs/proc/base.c | 8
include/linux/capability.h | 6 ++
include/uapi/linux/capability.h | 9
le
according to the system's security policy.)
Nicolas updated the last patch (3/3). The first two patches are
unchanged from v3.
Adrian Reber (2):
capabilities: Introduce CAP_CHECKPOINT_RESTORE
selftests: add clone3() CAP_CHECKPOINT_RESTORE test
Nicolas Viennot (1):
prctl: Allow ptrace ca
permission error code from -EINVAL to
-EPERM for consistency with the rest of the prctl() syscall when
checking capabilities.
Signed-off-by: Nicolas Viennot
Signed-off-by: Adrian Reber
---
kernel/sys.c | 21 -
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a
This adds a test that changes its UID, uses capabilities to
get CAP_CHECKPOINT_RESTORE and uses clone3() with set_tid to
create a process with a given PID as non-root.
Signed-off-by: Adrian Reber
---
tools/testing/selftests/clone3/Makefile | 4 +-
.../clone3
d
files.
See corresponding selftest for an example with clone3().
Signed-off-by: Adrian Reber
Signed-off-by: Nicolas Viennot
---
v2:
- Renamed CAP_RESTORE to CAP_CHECKPOINT_RESTORE
- Added a test
- Added details about CRIU's use of map_files
- Allow changing /pro
g it. Even if this
happens we still need CAP_CHECKPOINT_RESTORE and the removal or change
to ns_capable() is not blocked by this patchset.
Besides that there was nothing speaking against CAP_CHECKPOINT_RESTORE
during the v2 discussions.
Adrian Reber (2):
capabilities: Introduce CAP_CHECKPOI
This adds a test that changes its UID, uses capabilities to
get CAP_CHECKPOINT_RESTORE and uses clone3() with set_tid to
create a process with a given PID as non-root.
Signed-off-by: Adrian Reber
---
tools/testing/selftests/clone3/Makefile | 4 +-
.../clone3
t difference is that the patchset now provides all the
changes, which are necessary to use CRIU to checkpoint and restore a
process as non-root if CAP_CHECKPOINT_RESTORE is set.
Adrian Reber (2):
capabilities: Introduce CAP_CHECKPOINT_RESTORE
selftests: add clone3() CAP_CHECKPOINT_RESTORE test
d
files.
See corresponding selftest for an example with clone3().
Signed-off-by: Adrian Reber
Signed-off-by: Nicolas Viennot
---
v2:
- Renamed CAP_RESTORE to CAP_CHECKPOINT_RESTORE
- Added a test
- Added details about CRIU's use of map_files
- Allow changing /pro
permission error code from -EINVAL to
-EPERM for consistency with the rest of the prctl() syscall when
checking capabilities.
Signed-off-by: Nicolas Viennot
Signed-off-by: Adrian Reber
---
kernel/sys.c | 21 -
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a
mespace work.
Adrian
> On Tue, 17 Mar 2020 at 09:32, Adrian Reber wrote:
> >
> > This is an attempt to add time namespace support to clone3(). I am not
> > really sure which way clone3() should handle time namespaces. The time
> > namespace through /proc cannot be
On Tue, May 26, 2020 at 08:59:29AM -0500, Eric W. Biederman wrote:
> Adrian Reber writes:
>
> > On Fri, May 22, 2020 at 09:40:37AM -0700, Casey Schaufler wrote:
>
> >> What are the other blockers? Are you going to suggest additional new
> >> capabilities to
On Mon, May 25, 2020 at 11:55:20AM -0700, Casey Schaufler wrote:
> On 5/25/2020 1:05 AM, Adrian Reber wrote:
> > On Fri, May 22, 2020 at 09:40:37AM -0700, Casey Schaufler wrote:
> >> On 5/21/2020 10:53 PM, Adrian Reber wrote:
> >>> This enables CRIU to checkpoint and
On Fri, May 22, 2020 at 09:40:37AM -0700, Casey Schaufler wrote:
> On 5/21/2020 10:53 PM, Adrian Reber wrote:
> > This enables CRIU to checkpoint and restore a process as non-root.
>
> I know it sounds pedantic, but could you spell out CRIU once?
> While I know that everyon
printf("I am the child!\n");
exit(0);
} else if (new_pid == pid)
printf("I am the parent. My child got the pid %d!\n", new_pid);
else
printf("pid (%d) does not match expected pid (%d)\n", new_pid,
pid);
On Mon, Sep 16, 2019 at 09:49:34AM +0200, Christian Brauner wrote:
> On Tue, Sep 10, 2019 at 07:01:30PM +0100, Eugene Syromiatnikov wrote:
> > Hello.
> >
> > This patch set updates clone3 selftest in several aspects:
> > - adding checks for exit_signal invalid values handling;
> > - adding clone
On Mon, Aug 12, 2019 at 01:43:53PM -0700, Andrei Vagin wrote:
> On Mon, Aug 12, 2019 at 1:10 PM Adrian Reber wrote:
> >
> > The main motivation to add set_tid to clone3() is CRIU.
> >
> > To restore a process with the same PID/TID CRIU currently uses
> > /proc/
set_tid) tries to call clone3()
with different sizes of clone_args.
Signed-off-by: Adrian Reber
---
tools/testing/selftests/clone3/.gitignore | 2 +
tools/testing/selftests/clone3/Makefile | 11 +
tools/testing/selftests/clone3/clone3.c | 231 ++
.../testing
clone3() with set_tid as they are currently in place for ns_last_pid.
Signed-off-by: Adrian Reber
---
v2:
- Removed (size < sizeof(struct clone_args)) as discussed with
Christian and Dmitry
- Added comment to ((set_tid != 1) && idr_get_cursor() <= 1) (Oleg)
- Use idr_allo
clone3() with set_tid as they are currently in place for ns_last_pid.
Signed-off-by: Adrian Reber
---
v2:
- Removed (size < sizeof(struct clone_args)) as discussed with
Christian and Dmitry
- Added comment to ((set_tid != 1) && idr_get_cursor() <= 1) (Oleg)
- Use idr_allo
This tests clone3() with and without set_tid to see if all desired PIDs
are working as expected. The test tries to clone3() with a set_tid of
-1, 1, pid_max, a PID which is already in use and an unused PID. The
same tests are also running in PID namespace.
Signed-off-by: Adrian Reber
---
tools
On Sun, Aug 11, 2019 at 09:06:59PM +0200, Christian Brauner wrote:
> On Sun, Aug 11, 2019 at 08:51:48AM +0200, Christian Brauner wrote:
> > On Sat, Aug 10, 2019 at 07:59:18AM +0200, Adrian Reber wrote:
> > > On Sat, Aug 10, 2019 at 03:10:34AM +0200, Christian Brauner wrote:
>
On Sat, Aug 10, 2019 at 03:10:34AM +0200, Christian Brauner wrote:
> On Thu, Aug 08, 2019 at 11:22:21PM +0200, Adrian Reber wrote:
> > The main motivation to add set_tid to clone3() is CRIU.
> >
> > To restore a process with the same PID/TID CRIU currently uses
> > /
This tests clone3() with and without set_tid to see if all desired PIDs
are working as expected. The test tries to clone3() with a set_tid of
-1, 1, pid_max, a PID which is already in use and an unused PID. The
same tests are also running in PID namespace.
Signed-off-by: Adrian Reber
---
tools
clone3() with set_tid as they are currently in place for ns_last_pid.
Signed-off-by: Adrian Reber
---
v2:
- Removed (size < sizeof(struct clone_args)) as discussed with
Christian and Dmitry
- Added comment to ((set_tid != 1) && idr_get_cursor() <= 1) (Oleg)
- Use idr_allo
This tests clone3() with and without set_tid to see if all desired PIDs
are working as expected. The test tries to clone3() with a set_tid of
-1, 1, pid_max, a PID which is already in use and an unused PID. The
same tests are also running in PID namespace.
Signed-off-by: Adrian Reber
---
tools
clone3() with set_tid as they are currently in place for ns_last_pid.
Signed-off-by: Adrian Reber
---
v2:
- Removed (size < sizeof(struct clone_args)) as discussed with
Christian and Dmitry
- Added comment to ((set_tid != 1) && idr_get_cursor() <= 1) (Oleg)
- Use idr_allo
On Fri, Aug 02, 2019 at 03:52:49PM +0200, Christian Brauner wrote:
> On Fri, Aug 02, 2019 at 03:46:11PM +0200, Oleg Nesterov wrote:
> > On 08/02, Oleg Nesterov wrote:
> > >
> > > So Adrian, sorry for confusion, I think your patch is fine.
Good to know.
> > Yes... but do we really need the new CLO
On Fri, Aug 02, 2019 at 03:50:54PM +0200, Christian Brauner wrote:
> On Fri, Aug 02, 2019 at 03:30:01PM +0200, Oleg Nesterov wrote:
> > On 08/02, Christian Brauner wrote:
> > >
> > > On Wed, Jul 31, 2019 at 06:12:22PM +0200, Adrian Reber wrote:
> > > > The
On Wed, Jul 31, 2019 at 07:41:36PM +0200, Oleg Nesterov wrote:
> On 07/31, Adrian Reber wrote:
> >
> > Extending clone3() to support CLONE_SET_TID makes it possible restore a
> > process using CRIU without accessing /proc/sys/kernel/ns_last_pid and
> > race free (as lon
cyclic() (Oleg)
Signed-off-by: Adrian Reber
---
include/linux/pid.h| 2 +-
include/linux/sched/task.h | 1 +
include/uapi/linux/sched.h | 2 ++
kernel/fork.c | 25 -
kernel/pid.c | 30 +++---
5 files changed, 43 ins
This tests clone3() with set_tid to see if all desired PIDs are working
as expected. The test tries to clone3() with a set_tid of -1, 1,
pid_max, a PID which is already in use and an unused PID. The same
tests are also running in PID namespace.
Signed-off-by: Adrian Reber
---
tools/testing
This tests clone3() with set_tid to see if all desired PIDs are working
as expected. The test tries to clone3() with a set_tid of -1, 1,
pid_max, a PID which is already in use and an unused PID. The same
tests are also running in PID namespace.
Signed-off-by: Adrian Reber
---
tools/testing
(CAP_SYS_ADMIN)
on clone3() with set_tid as they are currently in place for ns_last_pid.
Signed-off-by: Adrian Reber
---
include/linux/pid.h| 2 +-
include/linux/sched/task.h | 1 +
include/uapi/linux/sched.h | 2 ++
kernel/fork.c | 22 --
kernel/pid.c
On Fri, Jul 13, 2018 at 08:46:25AM -0500, Eric W. Biederman wrote:
> Pavel Emelyanov writes:
>
> > On 07/12/2018 07:33 PM, Eric W. Biederman wrote:
> >>
> >> Adrian Reber writes:
> >>
> >>> The CHECKPOINT_RESTORE configuration option wa
EXPERT and moves the configuration option out of the EXPERT
block.
Signed-off-by: Adrian Reber
Cc: Oleg Nesterov
Cc: Pavel Emelyanov
Cc: Andrew Morton
Cc: Eric W. Biederman
Cc: Andrei Vagin
Cc: Hendrik Brueckner
---
init/Kconfig | 24
1 file changed, 12 insertions
On Wed, May 02, 2018 at 11:14:48PM +0200, Christoph Hellwig wrote:
> This is the io_getevents equivalent of ppoll/pselect and allows to
> properly mix signals and aio completions (especially with IOCB_CMD_POLL)
> and atomically executes the following sequence:
>
> sigset_t origmask;
>
>
On Thu, Feb 08, 2007 at 06:21:56PM +0100, Arnd Bergmann wrote:
[...]
> Moving the sample rate computation to user space sounds like the right
> idea, but why not have a more drastic version of it:
>
> Right now, all products that support this feature run at the same clock
> rate (3.2 Ghz), with cp
Hi
I have a Dual Pentium III 500 Mhz machine.
It has 1GB of memory, an internal amimegaraid controller, two additional
scsi ultra-wide controller sym53c875E (using sym53c8xx.o) and acenic
gigabit ethernet card. I'm patching every kernel to use vlan (802.1Q) and
reiserfs. Currently a 2.4.0-test4
59 matches
Mail list logo
