From: Andrei Vagin <avagin@gmail.com>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: "Adrian Reber" <areber@redhat.com>,
"Eric Biederman" <ebiederm@xmission.com>,
"Pavel Emelyanov" <ovzxemul@gmail.com>,
"Oleg Nesterov" <oleg@redhat.com>,
"Dmitry Safonov" <0x7f454c46@gmail.com>,
"Nicolas Viennot" <Nicolas.Viennot@twosigma.com>,
"Michał Cłapiński" <mclapinski@google.com>,
"Kamil Yurtsever" <kyurtsever@google.com>,
"Dirk Petersen" <dipeit@gmail.com>,
"Christine Flood" <chf@redhat.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Mike Rapoport" <rppt@linux.ibm.com>,
"Radostin Stoyanov" <rstoyanov1@gmail.com>,
"Cyrill Gorcunov" <gorcunov@openvz.org>,
"Serge Hallyn" <serge@hallyn.com>,
"Stephen Smalley" <stephen.smalley.work@gmail.com>,
"Sargun Dhillon" <sargun@sargun.me>,
"Arnd Bergmann" <arnd@arndb.de>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, selinux@vger.kernel.org,
"Eric Paris" <eparis@parisplace.org>,
"Jann Horn" <jannh@google.com>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v2 1/3] capabilities: Introduce CAP_CHECKPOINT_RESTORE
Date: Wed, 10 Jun 2020 00:59:28 -0700 [thread overview]
Message-ID: <20200610075928.GA172301@gmail.com> (raw)
In-Reply-To: <20200609161427.4eoozs3kkgablmaa@wittgenstein>
On Tue, Jun 09, 2020 at 06:14:27PM +0200, Christian Brauner wrote:
> On Tue, Jun 09, 2020 at 09:06:27AM -0700, Andrei Vagin wrote:
> > On Tue, Jun 09, 2020 at 09:44:22AM +0200, Christian Brauner wrote:
> > > On Mon, Jun 08, 2020 at 08:42:21PM -0700, Andrei Vagin wrote:
...
> > > > PTRACE_O_SUSPEND_SECCOMP is needed for C/R and it is protected by
> > > > CAP_SYS_ADMIN too.
> > >
> > > This is currently capable(CAP_SYS_ADMIN) (init_ns capable) why is it
> > > safe to allow unprivileged users to suspend security policies? That
> > > sounds like a bad idea.
> >
...
> > I don't suggest to remove or
> > downgrade this capability check. The patch allows all c/r related
> > operations if the current has CAP_CHECKPOINT_RESTORE.
> >
> > So in this case the check:
> > if (!capable(CAP_SYS_ADMIN))
> > return -EPERM;
> >
> > will be converted in:
> > if (!capable(CAP_SYS_ADMIN) && !capable(CAP_CHECKPOINT_RESTORE))
> > return -EPERM;
>
> Yeah, I got that but what's the goal here? Isn't it that you want to
> make it safe to install the criu binary with the CAP_CHECKPOINT_RESTORE
> fscap set so that unprivileged users can restore their own processes
> without creating a new user namespace or am I missing something? The
> use-cases in the cover-letter make it sound like that's what this is
> leading up to:
> > > > > * Checkpoint/Restore in an HPC environment in combination with a resource
> > > > > manager distributing jobs where users are always running as non-root.
> > > > > There is a desire to provide a way to checkpoint and restore long running
> > > > > jobs.
> > > > > * Container migration as non-root
> > > > > * We have been in contact with JVM developers who are integrating
> > > > > CRIU into a Java VM to decrease the startup time. These checkpoint/restore
> > > > > applications are not meant to be running with CAP_SYS_ADMIN.
>
> But maybe I'm just misunderstanding crucial bits (likely (TM)).
I think you understand this right. The goal is to make it possible to
use C/R functionality for unprivileged processes. And for me, here are
two separate tasks. The first one is how to allow unprivileged users to
use C/R from the root user namespace. This is what we discuss here.
And another one is how to allow to use C/R functionality from a non-root
user namespaces. The second task is about downgrading capable to
ns_capable for map_files and PTRACE_O_SUSPEND_SECCOMP.
Thanks,
Andrei
next prev parent reply other threads:[~2020-06-10 7:59 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-03 16:23 [PATCH v2 0/3] capabilities: Introduce CAP_CHECKPOINT_RESTORE Adrian Reber
2020-06-03 16:23 ` [PATCH v2 1/3] " Adrian Reber
2020-06-03 17:01 ` Cyrill Gorcunov
2020-06-09 3:42 ` Andrei Vagin
2020-06-09 7:44 ` Christian Brauner
2020-06-09 16:06 ` Andrei Vagin
2020-06-09 16:14 ` Christian Brauner
2020-06-10 7:59 ` Andrei Vagin [this message]
2020-06-10 15:41 ` Casey Schaufler
2020-06-10 15:48 ` Christian Brauner
2020-06-09 18:45 ` Cyrill Gorcunov
2020-06-09 20:09 ` Nicolas Viennot
2020-06-09 21:05 ` Eric W. Biederman
2020-06-09 21:28 ` Cyrill Gorcunov
2020-06-03 16:23 ` [PATCH v2 2/3] selftests: add clone3() CAP_CHECKPOINT_RESTORE test Adrian Reber
2020-06-03 16:23 ` [PATCH v2 3/3] prctl: Allow ptrace capable processes to change exe_fd Adrian Reber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200610075928.GA172301@gmail.com \
--to=avagin@gmail.com \
--cc=0x7f454c46@gmail.com \
--cc=Nicolas.Viennot@twosigma.com \
--cc=areber@redhat.com \
--cc=arnd@arndb.de \
--cc=casey@schaufler-ca.com \
--cc=chf@redhat.com \
--cc=christian.brauner@ubuntu.com \
--cc=dipeit@gmail.com \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=gorcunov@openvz.org \
--cc=jannh@google.com \
--cc=kyurtsever@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mclapinski@google.com \
--cc=oleg@redhat.com \
--cc=ovzxemul@gmail.com \
--cc=rppt@linux.ibm.com \
--cc=rstoyanov1@gmail.com \
--cc=sargun@sargun.me \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.