From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Oren Laadan <orenl@cs.columbia.edu>
Cc: Andrew Morton <akpm@linux-foundation.org>,
torvalds@linux-foundation.org,
containers@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux-api@vger.kernel.org, tglx@linutronix.de,
dave@linux.vnet.ibm.com, mingo@elte.hu, hpa@zytor.com,
viro@zeniv.linux.org.uk
Subject: Re: [RFC v7][PATCH 2/9] General infrastructure for checkpoint restart
Date: Wed, 22 Oct 2008 12:03:25 -0500 [thread overview]
Message-ID: <20081022170325.GA4908@us.ibm.com> (raw)
In-Reply-To: <48FF4EB2.5060206@cs.columbia.edu>
Quoting Oren Laadan (orenl@cs.columbia.edu):
>
>
> Serge E. Hallyn wrote:
> > Quoting Oren Laadan (orenl@cs.columbia.edu):
> > Just thinking aloud...
> >
> > Is read mode appropriate? The user can edit the statefile and restart
> > it. Admittedly the restart code should then do all the appropriate
> > checks for recreating resources, but I'm having a hard time thinking
> > through this straight.
> >
> > Let's say hallyn is running passwd. ruid=500,euid=0. He quickly
> > checkpoints. Then he restarts. Will restart say "ok, the /bin/passwd
> > binary is setuid 0 so let hallyn take euid=0 for this?" I guess not.
> > But are there other resources for which this is harder to get right?
>
> I'd say that checkpoint and restart are separate.
>
> In checkpoint, you read the state and save it somewhere; you don't
> modify anything in the target task (container). This equivalent to
> ptrace read-mode. If you could do ptrace, you could save all that
> state. In fact, you could save it in a format that is suitable for
> a future restart ... (or just forge one !)
Yeah, that's convincing.
> In restart, we either don't trust the user and keep everything to
> be done with her credentials, of we trust the root user and allow
> all operations (like loading a kernel module).
>
> We can actually have both modes of operations. How to decide that
> we trust the user is a separate question: one option is to have
> both checkpoint and restart executables setuid - checkpoint will
> sign (in user space) the output image, and restart (in user space)
> will validate the signature, before passing it to the kenrel. Surely
> there are other ways...
Makes sense.
...
> > Hmm, so do you think we just always use the caller's credentials?
>
> Nope, since we will fail to restart in many cases. We will need a way
> to move from caller's credentials to saved credentials, and even from
> caller's credentials to privileged credentials (e.g. to reopen a file
> that was created by a setuid program prior to dropping privileges).
Can we agree to worry about that much much later? :) Would you agree
that for the majority of use-cases, restarting with caller's credentials
will work? Or am I wrong about that?
> To do that, we will need to agree on a way to escalate/change the
> credentials. This however belongs to user-space (and then the binaries
> for checkpoint/restart will be setuid themselves).
Ok those are less scary, and I have no problem with those.
> There will also be the issue of mapping credentials: a user A may have
> one UID/GID on once system and another UID/GID on another system, and
> we may want to do the conversion. This, too, can be done in user space
> prior to restart by using an appropriate filter through the checkpoint
> stream.
User namespaces may help here too. So user A can create a new user
namespace and restart as user B in that namespace. But right now that
sounds like overkill.
-serge
WARNING: multiple messages have this Message-ID (diff)
From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Oren Laadan <orenl@cs.columbia.edu>
Cc: Andrew Morton <akpm@linux-foundation.org>,
torvalds@linux-foundation.org,
containers@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux-api@vger.kernel.org, tglx@linutronix.de,
dave@linux.vnet.ibm.com, mingo@elte.hu, hpa@zytor.com,
viro@zeniv.linux.org.uk
Subject: Re: [RFC v7][PATCH 2/9] General infrastructure for checkpoint restart
Date: Wed, 22 Oct 2008 12:03:25 -0500 [thread overview]
Message-ID: <20081022170325.GA4908@us.ibm.com> (raw)
In-Reply-To: <48FF4EB2.5060206@cs.columbia.edu>
Quoting Oren Laadan (orenl@cs.columbia.edu):
>
>
> Serge E. Hallyn wrote:
> > Quoting Oren Laadan (orenl@cs.columbia.edu):
> > Just thinking aloud...
> >
> > Is read mode appropriate? The user can edit the statefile and restart
> > it. Admittedly the restart code should then do all the appropriate
> > checks for recreating resources, but I'm having a hard time thinking
> > through this straight.
> >
> > Let's say hallyn is running passwd. ruid=500,euid=0. He quickly
> > checkpoints. Then he restarts. Will restart say "ok, the /bin/passwd
> > binary is setuid 0 so let hallyn take euid=0 for this?" I guess not.
> > But are there other resources for which this is harder to get right?
>
> I'd say that checkpoint and restart are separate.
>
> In checkpoint, you read the state and save it somewhere; you don't
> modify anything in the target task (container). This equivalent to
> ptrace read-mode. If you could do ptrace, you could save all that
> state. In fact, you could save it in a format that is suitable for
> a future restart ... (or just forge one !)
Yeah, that's convincing.
> In restart, we either don't trust the user and keep everything to
> be done with her credentials, of we trust the root user and allow
> all operations (like loading a kernel module).
>
> We can actually have both modes of operations. How to decide that
> we trust the user is a separate question: one option is to have
> both checkpoint and restart executables setuid - checkpoint will
> sign (in user space) the output image, and restart (in user space)
> will validate the signature, before passing it to the kenrel. Surely
> there are other ways...
Makes sense.
...
> > Hmm, so do you think we just always use the caller's credentials?
>
> Nope, since we will fail to restart in many cases. We will need a way
> to move from caller's credentials to saved credentials, and even from
> caller's credentials to privileged credentials (e.g. to reopen a file
> that was created by a setuid program prior to dropping privileges).
Can we agree to worry about that much much later? :) Would you agree
that for the majority of use-cases, restarting with caller's credentials
will work? Or am I wrong about that?
> To do that, we will need to agree on a way to escalate/change the
> credentials. This however belongs to user-space (and then the binaries
> for checkpoint/restart will be setuid themselves).
Ok those are less scary, and I have no problem with those.
> There will also be the issue of mapping credentials: a user A may have
> one UID/GID on once system and another UID/GID on another system, and
> we may want to do the conversion. This, too, can be done in user space
> prior to restart by using an appropriate filter through the checkpoint
> stream.
User namespaces may help here too. So user A can create a new user
namespace and restart as user B in that namespace. But right now that
sounds like overkill.
-serge
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2008-10-22 17:03 UTC|newest]
Thread overview: 129+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-20 5:40 [RFC v7][PATCH 0/9] Kernel based checkpoint/restart Oren Laadan
2008-10-20 5:40 ` Oren Laadan
2008-10-20 5:40 ` Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 1/9] Create syscalls: sys_checkpoint, sys_restart Oren Laadan
2008-10-20 5:40 ` Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 2/9] General infrastructure for checkpoint restart Oren Laadan
2008-10-20 5:40 ` Oren Laadan
[not found] ` <1224481237-4892-3-git-send-email-orenl-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2008-10-21 19:41 ` Andrew Morton
2008-10-21 19:41 ` Andrew Morton
2008-10-21 19:41 ` Andrew Morton
[not found] ` <20081021124130.a002e838.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2008-10-21 20:24 ` Serge E. Hallyn
2008-10-21 20:24 ` Serge E. Hallyn
2008-10-21 20:24 ` Serge E. Hallyn
[not found] ` <20081021202410.GA10423-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-10-21 20:41 ` Andrew Morton
2008-10-21 20:41 ` Andrew Morton
2008-10-21 20:41 ` Andrew Morton
2008-10-21 20:41 ` Andrew Morton
2008-10-22 1:33 ` Oren Laadan
2008-10-22 1:33 ` Oren Laadan
2008-10-22 1:33 ` Oren Laadan
[not found] ` <48FE82DF.6030005-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2008-10-22 2:55 ` Daniel Jacobowitz
2008-10-22 15:28 ` Serge E. Hallyn
2008-10-22 15:28 ` Serge E. Hallyn
2008-10-22 15:28 ` Serge E. Hallyn
[not found] ` <20081022152804.GA23821-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-10-22 16:02 ` Oren Laadan
2008-10-22 16:02 ` Oren Laadan
2008-10-22 16:02 ` Oren Laadan
2008-10-22 17:03 ` Serge E. Hallyn [this message]
2008-10-22 17:03 ` Serge E. Hallyn
[not found] ` <20081022170325.GA4908-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-10-22 18:32 ` Oren Laadan
2008-10-22 18:32 ` Oren Laadan
2008-10-22 18:32 ` Oren Laadan
2008-10-22 18:32 ` Oren Laadan
[not found] ` <48FF4EB2.5060206-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2008-10-22 17:03 ` Serge E. Hallyn
2008-10-27 8:27 ` Peter Chubb
2008-10-27 8:27 ` Peter Chubb
2008-10-27 8:27 ` Peter Chubb
[not found] ` <87tzayh27r.wl%peter-LkDQP0DxSMGxwJ88Py/mJxCuuivNXqWP@public.gmane.org>
2008-10-27 11:03 ` Oren Laadan
2008-10-27 11:03 ` Oren Laadan
2008-10-27 11:03 ` Oren Laadan
[not found] ` <49059FED.4030202-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2008-10-27 16:42 ` Dave Hansen
2008-10-27 16:42 ` Dave Hansen
2008-10-27 16:42 ` Dave Hansen
2008-10-27 16:42 ` Dave Hansen
2008-10-27 17:11 ` Oren Laadan
2008-10-27 17:11 ` Oren Laadan
2008-10-27 17:11 ` Oren Laadan
[not found] ` <4905F648.4030402-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2008-10-27 20:51 ` Matt Helsley
2008-10-27 20:51 ` Matt Helsley
2008-10-27 20:51 ` Matt Helsley
2008-10-27 21:20 ` Serge E. Hallyn
2008-10-27 21:20 ` Serge E. Hallyn
2008-10-27 21:20 ` Serge E. Hallyn
2008-10-27 21:20 ` Serge E. Hallyn
2008-10-27 21:51 ` Oren Laadan
2008-10-27 21:51 ` Oren Laadan
[not found] ` <490637D8.4080404-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2008-10-27 22:09 ` Dave Hansen
2008-10-27 22:09 ` Dave Hansen
2008-10-27 22:09 ` Dave Hansen
2008-10-28 18:33 ` Serge E. Hallyn
2008-10-28 18:33 ` Serge E. Hallyn
2008-10-28 18:33 ` Serge E. Hallyn
2008-10-28 18:33 ` Serge E. Hallyn
2008-10-27 22:09 ` Dave Hansen
2008-10-27 21:51 ` Oren Laadan
2008-10-27 20:51 ` Matt Helsley
2008-10-27 17:11 ` Oren Laadan
2008-10-27 11:03 ` Oren Laadan
2008-10-22 16:02 ` Oren Laadan
2008-10-22 15:28 ` Serge E. Hallyn
2008-10-22 2:55 ` Daniel Jacobowitz
2008-10-22 2:55 ` Daniel Jacobowitz
[not found] ` <20081022025513.GA7504-FDxGpBj5bhMn2ysHARXsoQ@public.gmane.org>
2008-10-22 3:02 ` Dave Hansen
2008-10-22 3:02 ` Dave Hansen
2008-10-22 3:02 ` Dave Hansen
2008-10-22 3:02 ` Dave Hansen
2008-10-22 14:29 ` Daniel Jacobowitz
2008-10-22 14:29 ` Daniel Jacobowitz
2008-10-22 14:29 ` Daniel Jacobowitz
2008-10-22 14:29 ` Daniel Jacobowitz
2008-10-22 1:33 ` Oren Laadan
2008-10-21 20:24 ` Serge E. Hallyn
2008-10-21 19:41 ` Andrew Morton
2008-10-20 5:40 ` [RFC v7][PATCH 3/9] x86 support for checkpoint/restart Oren Laadan
2008-10-20 5:40 ` Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 4/9] Dump memory address space Oren Laadan
2008-10-20 5:40 ` Oren Laadan
[not found] ` <1224481237-4892-1-git-send-email-orenl-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2008-10-20 5:40 ` [RFC v7][PATCH 1/9] Create syscalls: sys_checkpoint, sys_restart Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 2/9] General infrastructure for checkpoint restart Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 3/9] x86 support for checkpoint/restart Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 4/9] Dump memory address space Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 5/9] Restore " Oren Laadan
2008-10-20 5:40 ` Oren Laadan
2008-10-20 5:40 ` Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 6/9] Checkpoint/restart: initial documentation Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 7/9] Infrastructure for shared objects Oren Laadan
2008-10-20 5:40 ` Oren Laadan
2008-10-20 5:40 ` Oren Laadan
2008-10-20 5:40 ` Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 8/9] Dump open file descriptors Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 9/9] Restore open file descriprtors Oren Laadan
2008-10-21 19:21 ` [RFC v7][PATCH 0/9] Kernel based checkpoint/restart Andrew Morton
2008-10-21 19:21 ` Andrew Morton
2008-10-21 19:21 ` Andrew Morton
2008-10-21 19:21 ` Andrew Morton
[not found] ` <20081021122135.4bce362c.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2008-10-21 20:41 ` Dave Hansen
2008-10-21 20:41 ` Dave Hansen
2008-10-21 20:41 ` Dave Hansen
2008-10-22 9:20 ` Ingo Molnar
2008-10-22 9:20 ` Ingo Molnar
2008-10-22 9:20 ` Ingo Molnar
[not found] ` <20081022092024.GC12453-X9Un+BFzKDI@public.gmane.org>
2008-10-22 11:51 ` Daniel Lezcano
2008-10-22 11:51 ` Daniel Lezcano
2008-10-22 11:51 ` Daniel Lezcano
2008-10-22 11:51 ` Daniel Lezcano
2008-10-22 11:55 ` Cedric Le Goater
2008-10-22 11:55 ` Cedric Le Goater
2008-10-22 9:20 ` Ingo Molnar
2008-10-21 20:41 ` Dave Hansen
2008-10-20 5:40 ` [RFC v7][PATCH 6/9] Checkpoint/restart: initial documentation Oren Laadan
2008-10-20 5:40 ` Oren Laadan
[not found] ` <1224481237-4892-7-git-send-email-orenl-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2008-10-28 16:48 ` Michael Kerrisk
2008-10-28 16:48 ` Michael Kerrisk
2008-10-28 16:48 ` Michael Kerrisk
2008-10-28 16:48 ` Michael Kerrisk
2008-10-20 5:40 ` [RFC v7][PATCH 8/9] Dump open file descriptors Oren Laadan
2008-10-20 5:40 ` Oren Laadan
2008-10-20 5:40 ` [RFC v7][PATCH 9/9] Restore open file descriprtors Oren Laadan
2008-10-20 5:40 ` Oren Laadan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081022170325.GA4908@us.ibm.com \
--to=serue@us.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=containers@lists.linux-foundation.org \
--cc=dave@linux.vnet.ibm.com \
--cc=hpa@zytor.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@elte.hu \
--cc=orenl@cs.columbia.edu \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.