Difference between revisions of "Security"
Jump to navigation
Jump to search
Line 1: | Line 1: | ||
Due to restrictions imposed by several kernel APIs CRIU uses, the tools can only work with run with root privileges. The plan is to provide [[user-mode]], but it will have restrictions. | Due to restrictions imposed by several kernel APIs CRIU uses, the tools can only work with run with root privileges. The plan is to provide [[user-mode]], but it will have restrictions. | ||
− | + | == Service mode == | |
− | + | ||
− | + | If CRIU is run as [[CLI/cmd/service|service]] from root, make sure the connection socket is restricted to unauthorized access. The service doesn't make any additional checks about the RPC caller, it just goes and performs the requested action. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== See also == | == See also == | ||
Line 16: | Line 9: | ||
CRIU has security issues when working with [[Userns|user namespaces]] and [[selinux]] | CRIU has security issues when working with [[Userns|user namespaces]] and [[selinux]] | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
[[Category: API]] | [[Category: API]] |
Latest revision as of 09:28, 14 December 2016
Due to restrictions imposed by several kernel APIs CRIU uses, the tools can only work with run with root privileges. The plan is to provide user-mode, but it will have restrictions.
Service mode[edit]
If CRIU is run as service from root, make sure the connection socket is restricted to unauthorized access. The service doesn't make any additional checks about the RPC caller, it just goes and performs the requested action.
See also[edit]
CRIU has security issues when working with user namespaces and selinux