This tests if CRIU can restore a process with the same policy as during
checkpointing.

The test selinux00 is started and if SELinux is available the test
process moves itself to another process context. To make this possible
either a new SELinux policy needs to be available containing:

https://github.com/fedora-selinux/selinux-policy/commit/2d537cabbb2df614ea598ac20873c653cbf271a8

Or for a short time SELinux is switched to permissive mode.

The correct SELinux setup is done by zdtm/static/selinux00.checkskip and
zdtm/static/selinux00.hook and after the test the previous SELinux
policy state is restored.

After the test case is restored the test case checks if it still has the
same SELinux process context as before. If not the test cases fails.
Signed-off-by: Adrian Reber <areber@redhat.com>

If running on a system with SELinux enabled the socket for the
communication between parasite daemon and the main CRIU process needs to
be correctly labeled.

Initially this was motivated by Podman's use case: The container is
usually running as something like '...:...:container_t:...:....' and
CRIU started from runc and Podman will run as
'...:...:container_runtime_t:...:...'. As the parasite will be running
with the same context as the container process: 'container_t'.

Allowing a container process to connect via socket to the outside
of the container ('container_runtime_t') is not desired and therefore
CRIU needs to label the socket with the context of the
container: 'container_t'.

So this first gets the context of the root container process and tells
SELinux to label the next created socket with the same label as the root
container process. For this to work it is necessary to have the correct
SELinux policies installed. For Fedora based systems this is part of the
container-selinux package.

This assumes that all processes CRIU wants to dump are labeled with the
same SELinux context. If some of the child processes have different
labels this will not work and needs additional SELinux policies. But the
whole SELinux socket labeling relies on the correct SELinux being
available.
Signed-off-by: Adrian Reber <areber@redhat.com>

There was support for SELinux process labels in CRIU but because it was
never tested or verified CRIU only supported the 'unconfined_t' process
label. This was basically no SELinux support.

For successful container checkpoint and restore on a SELinux enabled
host it is necessary that the restored container has the same process
context as before checkpointing.

This commit only removes the check if the label is 'unconfined_t' and
now stores any process label to be restored.

For 'normal' processes started from the command-line which are usually
running in the 'unconfined_t' this just works.

For the container use case this needs additional policies. The latest
container-selinux package on Fedora has the necessary policy to allow
CRIU (running as 'container_runtime_t' when used from Podman) to
transition the restored process to 'container_t'.

Restoring a process running under systemd's control (which means
'unconfined_service_t' without additional policies) will fail because
CRIU will be not allowed to change the context of the restored process.

For each additional CRIU use case on SELinux enabled systems, besides
container processes and command-line/shell processes, additional SELinux
policies are required to allow CRIU to do a 'dyntransition' (change the
Signed-off-by: Adrian Reber <areber@redhat.com>

It was never designed to run params in ansync mode,
and i always been against this change because async
here is too fragile.

p.s.:

I think this might be a reason for

https://github.com/checkpoint-restore/criu/issues/647Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

https://github.com/checkpoint-restore/criu/issues/329Signed-off-by: Harshavardhan Unnibhavi <hvubfoss@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

Removed return value assignment statements as they are not referenced or used
anywhere after the assignment is done.

Fixes #334: Removing Unneeded Assignments
Signed-off-by: Mitul Karnik <mitulkarnik.92@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

Use faccessat() in check_path_remap() to check if the file (relative
to root of mnt ns) is accessible or not.
Signed-off-by: Ashutosh Mehra <asmehra1@in.ibm.com>

binfmt_misc.c:168:23: error: ‘sprintf’ may write a terminating nul past the end of the destination [-Werror=format-overflow=]
  168 |   sprintf(path, "%s/%s", dirname, NAME[i]);
      |                       ^
Signed-off-by: Adrian Reber <areber@redhat.com>

Signed-off-by: Adrian Reber <areber@redhat.com>

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Support for printing early log messages was recently added, which makes this
comment is no longer relevant.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

In rpc.proto the interface to query the CRIU version number uses major
and minor as keywords. This creates errors when using the RPC
definitions with C++: https://github.com/checkpoint-restore/criu/issues/625

In this commit the fields are renamed from major to major_number and
from minor to minor_number.

For existing programs using the RPC protobuf definition this should be a
transparent change. Only for programs importing the latest rpc.proto it
will require code changes.
Signed-off-by: Adrian Reber <areber@redhat.com>

Combine the functionality of socket_set_non_blocking() and
socket_set_blocking() into a new function, and move it in
criu/util.c to enable reusability throughout the code base.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Signed-off-by: Mitul Karnik <mitulkarnik.92@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

When the --ps-socket option is specified the provided file descriptor
of a socket will be reused for incoming TCP connection. In such case
the --address and --port options are ignored.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

The variable `len` is used only to calculate the value of `end`. We
already have the static inline function pagemap_len(), which can be
used instead.
Acked-by: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

The --lsm-profile option allows a container engine to specify LSM
profile name.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

The server socket is marked as nonblocking, and if the client doesn't
connect, accept() will fail and set errno to EAGAIN (or EWOULDBLOCK).
Instead, use poll to wait for POLLIN event on the file descriptor.
Suggested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Running crit with python2 gives following minimal help message:

 $ crit/crit
 usage: crit [-h] {decode,encode,info,x,show} ...
 crit: error: too few arguments

Using a python3 only system crit shows the following error:

 $ crit/crit
 Traceback (most recent call last):
   File "crit/crit", line 6, in <module>
     cli.main()
   File "/home/criu/crit/pycriu/cli.py", line 334, in main
     opts["func"](opts)
 KeyError: 'func'

Using this patch the python3 output changes to:

 $ crit/crit
 usage: crit [-h] {decode,encode,info,x,show} ...
 crit: error: too few arguments
Suggested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: Adrian Reber <areber@redhat.com>

When the --ps-socket option is used with page-server, instead of
--address and --port, this message would appear as:

    (00.028440) Disconnect from the page server (null):0
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

From man inet_pton(3):

    inet_pton() returns 1 on success (network address was successfully
    converted). 0 is returned if src does not contain a character
    string representing a valid network address in the specified
    address family. If af does not contain a valid address family,
    -1 is returned and errno is set to EAFNOSUPPORT.

We can assume that the return value is 1 or 0 (because af is set to
AF_INET4 or AF_INET6), therefore errno will not be set.

If a user attempts to bind a server using invalid network address the
following error message will be shown:

 Bad server address: Success

Which is not very clear, with this change the error message will look
like this:

Invalid server address "localhost". The address must be in IPv4 or IPv6 format.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

* "post-resume" was introduced with commit:

 2ab59939
 cr-restore: "post-resume" hook introduced

 This hook is called at the very end, when everything is restored and processes
 were resumed.
 Can be used for some actions, which require operation container, like
 restarting of systemd autofs services.

* "post-setup-namespaces" was introduced with commit:

 eec66f3d
 criu [PATCH] post-setup-namespaces

 Introduce post-setup-namespaces action script

 It needed to have possibility to run cutom script after mount
 namespace is configured

* "orphan-pts-master" was introduced with commit:

 6afe523d
 tty: notify about orphan tty-s via rpc

 Now Docker creates a pty pair from a container devpts to use is as console.
 A slave tty is set as a control tty for the init process and bind-mounted
 into /dev/console. The master tty is handled externelly.

 Now CRIU can handle external resources, but here we have internal resources
 which are used externaly.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Suppress the false positive fail in criu-live-migration job:
https://ci.openvz.org/job/CRIU/job/criu-live-migration/job/criu-dev/1796/

[criu]# ./test/zdtm.py run -t zdtm/static/overmounted_file -f uns --lazy-migrate

=== Run 1/1 ================ zdtm/static/overmounted_file
=================== Run zdtm/static/overmounted_file in uns ====================
Start test
Test is SUID
./overmounted_file --pidfile=overmounted_file.pid --outfile=overmounted_file.out --dirname=overmounted_file.test
Run criu dump
Test zdtm/static/overmounted_file FAIL at criu dump exited with 1 ######
Send the 9 signal to  49
Wait for zdtm/static/overmounted_file(49) to die for 0.100000
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

The '-R' is short for '--leave-running', which is a boolean option and
does not require an argument.

From getopt(3) man page:

optstring is a string containing the legitimate option characters. If
such a character is followed by a colon, the option requires an
argument, ...
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

This commit removes the functions criu_(local_)set_service_comm().
These functions are not neccessary, because if
set_service_address(), set_service_fd() or
set_service_binary() has been called it is already clear, which
service comm type should be used.

Furhtermore, this commit reduces the number of misuses.
E.g. if set_service_comm() was set to socket, but a binary was given
via set_service_binary().
Signed-off-by: Martin Wührer <martin.wuehrer@artech.at>

This commit checks after each strdup() call if the call was successful.
If not, the function that calls strdup() returns an error.

This requires, that the return value of several functions has to be
changed from void to int.
Signed-off-by: Martin Wührer <martin.wuehrer@artech.at>

Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

Files from such mounts can switch on restore to different files on the
overmounting mount, as we yet don't fully control the mount on which
the file is restored.

v3: make mnt_is_overmounted boolean again
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

Test creates two shared mounts, both are readonly, on each mount we have
a different ghost file. Also let these mounts have different mount
flags. That makes us both test do_new_mount hunk for delaying readonly
and do_bind_mount, as one mount will bind from another on restore.

https://jira.sw.ru/browse/PSBM-82991

v2: minor cleanup
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

We can have ghost-files on readonly mounts, for them we will need to
recreate the file on restore, and we can't do that if mount is readonly,
so the idea is to remount the mount we want to operate on to be writable,
and later after all ghost-files restored return mounts to their proper
state if needed.

There are three exceptions, where we don't remount:
a) Overmounted mounts can't be easily remounted writable, as their
mountpoints are invisible for us.
b) If the mount has readonly superblock - there can be no ghost-files on
such a mount.
c) When we are in host mntns, we should not remount mounts in it, else
if we face errors in between we'll forget to remount back.

We have 3 places where we need to add these remount:
1) create_ghost()
2) clean_one_remap()
3) rfi_remap()

For (1) and (2) we can just remount the mount writable without
remounting it back as they are called in service mntns (the one we save
in mnt_ns_fd), which will be destroyed with all it's mounts at the end.
We mark such mounts as remounted in service mntns - REMOUNTED_RW_SERVICE.

For (3) we need to remount these mounts back to readonly so we mark them
with REMOUNTED_RW and later in remount_readonly_mounts all such mounts
are re-remounted back.

For (3) we also need to enter proper mntns of tmi before remounting.

These solution v3 is better than v2 as for v2 we added additional
remount for all bind-readonly mounts, now we do remounts only for
those having ghost-files restore operations on them. These should be
quiet a rare thing, so ~3 remounts added for each suitable mount is a
relatively small price.

note: Also I thought and tried to implement the complete remove of the
step of remounting back to readonly, but it requires quiet a tricky
playing with usernsd and only removes one remount (of ~3) for already a
rare case so I don't thing it worth the effort.

v2: minor commit message cleanup and remove warn
v4: don't delay, only remount the mounts we explicitly want to write to
just before operating, rename patch accordingly, reuse
do_restore_task_mnt_ns, optimize inefficient ns_remount_readonly_mounts,
and also add another exception.
v5: simplify child status check, fix log messages and brackets, do not
drop all flags but only the readonly flag
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

On restore we change mounts tree topology and paths in find_remap_mounts
thus mns_is_overmounted does not account remaped overmounts. So to know
which mounts will be actually overmounted after restore we need two much
effort, better prepare these info in advance.

That also should improve performance of mnt_is_overmounted on dump,
as we reuse calculations from previous calls.

v3: make mnt_is_overmounted boolean again
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

Use realloc() to change the size of the memory block pointed
to by info->source instead of allocating new memory area and
releasing the old one. If info->source is NULL then the call
is equivalent to malloc(size).
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

The `show` and `exec` commands have been deprecated for some time,
and it is unlikely to be called by users. It would be better to move
them the end of the sequence of if-statements.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>