Changes

Jump to navigation Jump to search

Security (edit)

Revision as of 13:50, 14 September 2015

558 bytes added ,  13:50, 14 September 2015
Some datails about global CAPs we need in criu
Line 15: Line 15:     
CRIU has security issues when working with [[Userns|user namespaces]] and [[selinux]]
 
CRIU has security issues when working with [[Userns|user namespaces]] and [[selinux]]
 +
 +
== Kernel restrictions ==
 +
 +
Currently there are a few places in the kernel which test for action preformed being allowed for capable users only:
 +
 +
* Reading of <code>/proc/$pid/map_files</code> entries is guarded by <code>CAP_SYS_ADMIN</code>. This data is intensively used by CRIU on the dump.
 +
* Restoring memory maps with <code>prctl</code> may require <code>CAP_SYS_RESOURCE</code> on old CRIU versions which don't use <code>PR_SET_MM_MAP</code> interface.
 +
* Upon CRIU start it might try to load net-diag modules which require <code>CAP_SYS_MODULE</code>.
    
== Code example ==
 
== Code example ==
Retrieved from "https://criu.org/Special:MobileDiff/2618"

Navigation menu