[crac] RFR: Ignore open files in /var/lib/sss/mc [v4]
Radim Vansa
rvansa at openjdk.org
Tue Nov 7 12:20:28 UTC 2023
> I was considering different ways to fix this - there are actually two problems:
> 1) how to detect that?
> * This PR whitelisst all files in the directory (we could explicitly name `passwd`, `group`, `sid` and `initgroups`...)
> * We could manually check all places in JDK that call `getpwuid*`, `getpwname*`, `getgrgid*`and `getgrname*` and maybe some other functions, and diff FDs opened before/after the call. However this a) has performance impact b) is prone to races
> * Intercept the call: either catch syscalls (ptrace or seccomp), or patching `sss_open_cloexec` in memory, or preloading it? Rather complicated.
> 2) what to do with the open FD?
> * Current solution is to leave this up to CRIU (or another C/R engine). Again the simplest
> * We could close this; the FD is `fstat`-validated later on, so this would cause errors from these functions. We would need to patch the library, de-initializing the implementation (also risky).
>
> Normally I would try to include a testcase but given that this is system-dependent (and the issue does not appear even in CentOS Stream 9 container) I've only did manual testing.
Radim Vansa has updated the pull request incrementally with one additional commit since the last revision:
Add comment
-------------
Changes:
- all: https://git.openjdk.org/crac/pull/137/files
- new: https://git.openjdk.org/crac/pull/137/files/1201d599..fb1cf056
Webrevs:
- full: https://webrevs.openjdk.org/?repo=crac&pr=137&range=03
- incr: https://webrevs.openjdk.org/?repo=crac&pr=137&range=02-03
Stats: 4 lines in 1 file changed: 4 ins; 0 del; 0 mod
Patch: https://git.openjdk.org/crac/pull/137.diff
Fetch: git fetch https://git.openjdk.org/crac.git pull/137/head:pull/137
PR: https://git.openjdk.org/crac/pull/137
More information about the crac-dev
mailing list