CRIU has security issues when working with [[Userns|user namespaces]] and [[selinux]]
CRIU has security issues when working with [[Userns|user namespaces]] and [[selinux]]
+
+
== Kernel restrictions ==
+
+
Currently there are a few places in the kernel which test for action preformed being allowed for capable users only:
+
+
* Reading of <code>/proc/$pid/map_files</code> entries is guarded by <code>CAP_SYS_ADMIN</code>. This data is intensively used by CRIU on the dump.
+
* Restoring memory maps with <code>prctl</code> may require <code>CAP_SYS_RESOURCE</code> on old CRIU versions which don't use <code>PR_SET_MM_MAP</code> interface.
+
* Upon CRIU start it might try to load net-diag modules which require <code>CAP_SYS_MODULE</code>.