Line 16: |
Line 16: |
| ** empty bridges in netns | | ** empty bridges in netns |
| ** FILTER mode of seccomp | | ** FILTER mode of seccomp |
| + | ** IP_FREEBIND socket option |
| | | |
| === Optimizations/improvements === | | === Optimizations/improvements === |
Line 60: |
Line 61: |
| * Post-restore actions could generate stats files in wrong directories | | * Post-restore actions could generate stats files in wrong directories |
| * Freeze-cgroup didn't take sub-cgroups' tasks into account | | * Freeze-cgroup didn't take sub-cgroups' tasks into account |
| + | * Tentative state in IPv6 sockets binding prevented socket from being bound immediately |
| + | * Restoring from images with files pointing to /proc file of dead tasks could crash |
| + | * Tasks with STOP in queue (i.e. -- not ''yet'' stopped) were CONT-ed in case of --leave-running dump |
| + | * Stopped task with one more STOP in queue caused dump to stuck |
| + | * If parent task left the MNT namespace it created for children restore could BUG() |
| + | * Link-local IPv6 addresses sometimes failed to bind() at restore |
| | | |
| === Security === | | === Security === |
| * Service run as root could allow users to violate ptrace policies | | * Service run as root could allow users to violate ptrace policies |
| * Service run as root could give users access to privileged files and directories | | * Service run as root could give users access to privileged files and directories |