Line 15: |
Line 15: |
| ** ignore_routes_with_linkdown netns devconf | | ** ignore_routes_with_linkdown netns devconf |
| ** empty bridges in netns | | ** empty bridges in netns |
| + | ** FILTER mode of seccomp |
| + | ** IP_FREEBIND socket option |
| | | |
| === Optimizations/improvements === | | === Optimizations/improvements === |
Line 27: |
Line 29: |
| * Read pages.img in more optimal manner rather than page-by-page | | * Read pages.img in more optimal manner rather than page-by-page |
| * Less "Error"-s in logs, that actually don't lead to errors | | * Less "Error"-s in logs, that actually don't lead to errors |
| + | * Slightly faster /proc/pid/status parsing |
| + | * Dead/live-locks on internal criu locks now emits a warning into logs |
| | | |
| === Fixes === | | === Fixes === |
Line 51: |
Line 55: |
| * Controlling tty could be restored on wrong tty end | | * Controlling tty could be restored on wrong tty end |
| * Tmpfs mount of sub-namespace was restored from wrong image file | | * Tmpfs mount of sub-namespace was restored from wrong image file |
| + | * Potential stack overflow in libcriu |
| + | * Partially-restored tasks could be left after failed restore |
| + | * In-container TCP connection sometimes failed to restore |
| + | * Race in sending SIGSTOP vs dump might cause dump to fail |
| + | * Post-restore actions could generate stats files in wrong directories |
| + | * Freeze-cgroup didn't take sub-cgroups' tasks into account |
| + | * Tentative state in IPv6 sockets binding prevented socket from being bound immediately |
| + | * Restoring from images with files pointing to /proc file of dead tasks could crash |
| + | * Tasks with STOP in queue (i.e. -- not ''yet'' stopped) were CONT-ed in case of --leave-running dump |
| + | * Stopped task with one more STOP in queue caused dump to stuck |
| + | * If parent task left the MNT namespace it created for children restore could BUG() |
| + | * Link-local IPv6 addresses sometimes failed to bind() at restore |
| | | |
| === Security === | | === Security === |
| * Service run as root could allow users to violate ptrace policies | | * Service run as root could allow users to violate ptrace policies |
| * Service run as root could give users access to privileged files and directories | | * Service run as root could give users access to privileged files and directories |