seccomp: Move changed ptrace flags setup after creds

Credential commitment affects dumpable and pdeath signals so we have to move their restore after the restore_creds, just like we have in __export_restore_task (ie for group leader). https://jira.sw.ru/browse/PSBM-84198Acked-by: Dmitry Safonov <0x7f454c46@gmail.com> Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>

seccomp: Move changed ptrace flags setup after creds
Credential commitment affects dumpable and pdeath signals so we have to move their restore after the restore_creds, just like we have in __export_restore_task (ie for group leader). https://jira.sw.ru/browse/PSBM-84198Acked-by: Dmitry Safonov <0x7f454c46@gmail.com> Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
d92366ef · Cyrill Gorcunov · Pavel Emelyanov · d5a3d807 · d92366ef · d92366ef
Commit d92366ef authored May 15, 2018 by Cyrill Gorcunov Committed by Pavel Emelyanov Jul 09, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 6 deletions

restorer.h criu/include/restorer.h +3 -1

restorer.c criu/pie/restorer.c +3 -5

No files found.
--- a/criu/include/restorer.h
+++ b/criu/include/restorer.h
@@ -273,7 +273,7 @@ enum {
 	 * almost ready and what's left is:
 	 *   pick up zombies and helpers
 	 *   restore sigchild handlers used to detect restore errors
-	 *   restore credentials
+	 *   restore credentials, seccomp, dumpable and pdeath_sig
 	 */
 	CR_STATE_RESTORE,
 	/*
@@ -288,6 +288,8 @@ enum {
 	 * credentials are restored. Otherwise someone can attach to a
 	 * process, which are not restored credentials yet and execute
 	 * some code.
+	 * Seccomp needs to be restored after creds.
+	 * Dumpable and pdeath signal are restored after seccomp.
 	 */
 	CR_STATE_RESTORE_CREDS,
 	CR_STATE_COMPLETE

--- a/criu/pie/restorer.c
+++ b/criu/pie/restorer.c
@@ -545,10 +545,6 @@ long __export_restore_thread(struct thread_restore_args *args)
 	if (restore_thread_common(args))
 		goto core_restore_end;

-	ret = restore_dumpable_flag(&args->ta->mm);
-	if (ret)
-		goto core_restore_end;
-
 	pr_info("%ld: Restored\n", sys_gettid());

 	restore_finish_stage(task_entries_local, CR_STATE_RESTORE);
@@ -557,7 +553,6 @@ long __export_restore_thread(struct thread_restore_args *args)
 		goto core_restore_end;

 	restore_finish_stage(task_entries_local, CR_STATE_RESTORE_SIGCHLD);
-	restore_pdeath_sig(args);

 	/*
 	 * Make sure it's before creds, since it's privileged
@@ -567,8 +562,11 @@ long __export_restore_thread(struct thread_restore_args *args)
 		goto core_restore_end;

 	ret = restore_creds(args->creds_args, args->ta->proc_fd);
+	ret = ret || restore_dumpable_flag(&args->ta->mm);
+	ret = ret || restore_pdeath_sig(args);
 	if (ret)
 		goto core_restore_end;
+
 	restore_finish_stage(task_entries_local, CR_STATE_RESTORE_CREDS);

 	futex_dec_and_wake(&thread_inprogress);