1. 13 Jan, 2016 2 commits
  2. 30 Dec, 2015 2 commits
  3. 29 Dec, 2015 14 commits
  4. 28 Dec, 2015 9 commits
  5. 25 Dec, 2015 2 commits
  6. 24 Dec, 2015 11 commits
    • Pavel Emelyanov's avatar
      afc11b6a
    • Pavel Emelyanov's avatar
      zdtm.py: Mark nouser tests as such · 517c0988
      Pavel Emelyanov authored
      Some tests require criu to be root, e.g. tcp tests of unlink-mmaps ones,
      so mark those in desc files as such.
      Signed-off-by: 's avatarPavel Emelyanov <xemul@parallels.com>
      Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
      517c0988
    • Pavel Emelyanov's avatar
      jenkins: Add user mode job · b8d92bd4
      Pavel Emelyanov authored
      Signed-off-by: 's avatarPavel Emelyanov <xemul@parallels.com>
      Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
      b8d92bd4
    • Pavel Emelyanov's avatar
      proc: Fix aio mapping detection · d487ad76
      Pavel Emelyanov authored
      This is fixlet to patch #2.
      Signed-off-by: 's avatarPavel Emelyanov <xemul@parallels.com>
      Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
      d487ad76
    • Pavel Emelyanov's avatar
      zdtm.py: Check how user-mode works · dde2adbc
      Pavel Emelyanov authored
      There are several restrictions:
      
      1. Onlu dump is checked (--norst) for now
      2. Only host flavor as tests has to start themselves in non-root mode
      3. Only non-suid tests
      4. TCP doesn't work too, should be manually excluded :\
      Signed-off-by: 's avatarPavel Emelyanov <xemul@parallels.com>
      Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
      dde2adbc
    • Cyrill Gorcunov's avatar
      parasite: Load code blobs via memfd · 35636a7e
      Cyrill Gorcunov authored
      Currently parasite is loaded using the map_files dir,
      which is guarged with CAP_SYS_ADMIN by default (which
      is dropped in 4.2 series). So lets do a deal -- try
      to use memfd interface first (which has been introduced
      in 4.0 kernel series) and if we fail then switch to old
      map_files interface.
      
      With time all users are switched to new kernels so
      memfd gonna be primary interface.
      Signed-off-by: 's avatarPavel Emelyanov <xemul@parallels.com>
      Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
      Signed-off-by: 's avatarCyrill Gorcunov <gorcunov@openvz.org>
      Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
      Signed-off-by: 's avatarPavel Emelyanov <xemul@parallels.com>
      35636a7e
    • Pavel Emelyanov's avatar
      proc: Use smaps path for file · 2dcccc61
      Pavel Emelyanov authored
      Kernel doesn't allow to mess with map_files dir in proc. So,
      when doing dump from user process, we should try to get
      file path using path from smaps file. To be 100% sure the
      path is correct we also get device and ino numbers and
      check them agains the stat()-ed path ones.
      
      With this scheme we miss
      
      - mapped packet sockets, but users don't use them
      - AIOs, but this can be detected via device, inode and name
      - several nested mntns's, but users don't use them
      - mapped and unlinked files, but this can be fixed by
        reading file via task's memory (slow, but still)
      
      gorcunov@:
      
       - For special mappings such as heap, vsyscall, vdso and such
         the kernel provides names rounded by brackets so exit
         from vma_get_mapfile if we meet one and allow the caller
         to handle it.
      Signed-off-by: 's avatarPavel Emelyanov <xemul@parallels.com>
      Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
      Signed-off-by: 's avatarCyrill Gorcunov <gorcunov@openvz.org>
      Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
      Signed-off-by: 's avatarPavel Emelyanov <xemul@parallels.com>
      2dcccc61
    • Cyrill Gorcunov's avatar
      pagemap-cache: Use greedy mode if pagemap inaccessible · a4edef8e
      Cyrill Gorcunov authored
      If criu is running in unprivileged mode and we can't
      access dumpee's pagemap file -- simply switch to
      greedy mode where all pages are gonna be dumped
      regardless of their presence in memory.
      Signed-off-by: 's avatarCyrill Gorcunov <gorcunov@openvz.org>
      Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
      Signed-off-by: 's avatarPavel Emelyanov <xemul@parallels.com>
      a4edef8e
    • Cyrill Gorcunov's avatar
      vdso: Don't fail if pagemap is not accessbile · d1db4faf
      Cyrill Gorcunov authored
      We use page frame number to detect vDSO which has been remapped
      in-place from runtime vDSO during restore. In such case if the
      kernel is younger than 3.16 the "[vdso]" mark won't be reported
      in procfs output.
      
      Still to address recently reported CVEs and be able to run CRIU
      in unprivileged mode we need to handle vDSO without pagemap access
      and here is the deal -- when we find VMA which "looks like" vDSO
      we try to scan it for vDSO symbols and if it matches we restore
      its status without PFN access.
      
      Here is some details on @pagemap access in-kernel history:
      
       - @pagemap introduced in commit 85863e475e59 where anyone
         which can attach to a task via ptrace is allowed to read
         data from @pagemap (Feb 4 2008, v2.6.25-rc1)
      
       - in commit 006ebb40d3d65 ptrace attach rule has been changed
         into ptrace read permission (May 19 2008, v2.6.27-rc1)
      
       - in commit ab676b7d6fbf4 opening of @pagemap become guarded
         with CAP_SYS_ADMIN because of leak of physical addresses
         into userspace (Mar 9 2015, v4.0-rc5)
      
       - in commit 1c90308e7a77a opening of @pagemap become available
         for regular users again (with ptrace read permission) but
         physical addresses of pages are hidden from non-privileged
         userd (Sep 8 2015, v4.3-rc1)
      Signed-off-by: 's avatarCyrill Gorcunov <gorcunov@openvz.org>
      Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
      Signed-off-by: 's avatarPavel Emelyanov <xemul@parallels.com>
      d1db4faf
    • Pavel Emelyanov's avatar
      dump: Dont read prohibited kernel files · d10835c4
      Pavel Emelyanov authored
      In particular, we won't be able to do memory tracking and
      zero page detection.
      Signed-off-by: 's avatarPavel Emelyanov <xemul@parallels.com>
      Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
      d10835c4
    • Pavel Emelyanov's avatar
      kerndat: Read anon shmem dev via maps · 2e2e1c13
      Pavel Emelyanov authored
      Kernel doesn't allow to read /proc/pid/map_files. This file
      is used to get pseudo device for anon shmem mappings, but
      this info can be get by scanning /proc/self/maps file.
      
      This works slower, but still.
      Signed-off-by: 's avatarPavel Emelyanov <xemul@parallels.com>
      Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
      2e2e1c13