ptraceを無効化してないと、PTRACE_O_SUSPEND_SECCOMP で自由にseccompを無効化できてしまう。
などと書いてある文献を見つけたのでちょっと調査
ようするにseccompが有効化されてるコンテナでもCRIUしたいじゃんってことらしい。
えーと、gdbもCRIUも使いたいけど、seccomp迂回は限定したいって時はどうしたら・・・・??
などと書いてある文献を見つけたのでちょっと調査
なお、このコミットだった模様
commit 13c4a90119d28cfcb6b5bdd820c233b86c2b0237Author: Tycho Andersen <tycho.andersen@canonical.com>Date: Sat Jun 13 09:02:48 2015 -0600seccomp: add ptrace options for suspend/resumeThis patch is the first step in enabling checkpoint/restore of processeswith seccomp enabled.One of the things CRIU does while dumping tasks is inject code into themvia ptrace to collect information that is only available to the processitself. However, if we are in a seccomp mode where these processes areprohibited from making these syscalls, then what CRIU does kills the task.This patch adds a new ptrace option, PTRACE_O_SUSPEND_SECCOMP, that enablesa task from the init user namespace which has CAP_SYS_ADMIN and no seccompfilters to disable (and re-enable) seccomp filters for another task so thatthey can be successfully dumped (and restored). We restrict the set ofprocesses that can disable seccomp through ptrace because although todayptrace can be used to bypass seccomp, there is some discussion of closingthis loophole in the future and we would like this patch to not depend onthat behavior and be future proofed for when it is removed.Note that seccomp can be suspended before any filters are actuallyinstalled; this behavior is useful on criu restore, so that we can suspendseccomp, restore the filters, unmap our restore code from the restoredprocess' address space, and then resume the task by detaching and have thefilters resumed as well.
ようするにseccompが有効化されてるコンテナでもCRIUしたいじゃんってことらしい。
えーと、gdbもCRIUも使いたいけど、seccomp迂回は限定したいって時はどうしたら・・・・??