Open leonard520 opened 3 hours ago
I am confused. You say:
I found that in order to perform checkpoint and restore, additional sys_ptrace permissions are required.
and
I did a test where I only granted the container checkpoint_restore capability, and it still completed the operation successfully.
Do you see that CAP_SYS_PTRACE
is needed or not. If it is not needed why do you think it might be necessary?
There is following line in the man-page:
criu also needs either CAP_SYS_PTRACE or a value of 0 in /proc/sys/kernel/yama/ptrace_scope (see ptrace(2)) to be able to interrupt the process for dumping.
Does that help?
Recently, I've been experimenting with this project using OpenJDK's CRaC.
This is unprivileged single-user variant, so I think CAP_SYS_PTRACE is required only when yama policies are enabled: https://www.kernel.org/doc/html/v4.15/admin-guide/LSM/Yama.html
Description
Recently, I've been experimenting with this project using OpenJDK's CRaC. I found that in order to perform checkpoint and restore, additional
sys_ptrace
permissions are required. It works with these permissions, but sinceptrace
has elevated privileges, I'm trying to understand in what scenarios it's actually needed. I did a test where I only granted the containercheckpoint_restore
capability, and it still completed the operation successfully. So, I'm wondering if it depends on specific application scenarios? If so, what are the scenarios where it's needed? Thank you!