checkpoint: resolve symlink for external bind mount (take II) #3047
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @kolyshkin and @cyphar Sorry for broking CI system in the weekend.. When #2902 is merge, issue #3042 shows that CI is broken, with error message I am not sure whether it is introduced due to security issue. So I choose Solution 2 described in #3042 |
kolyshkin
changed the title
kolyshkin
changed the title
|
@cyphar @AkihiroSuda PTAL |
|
Thanks @kolyshkin , @cyphar @AkihiroSuda rebased and tested with newest master. |
|
@liusdu can you please rebase? we did some changes to CI that unfortunately require an explicit rebase. |
|
@kolyshkin rebased~ |
|
@liusdu needs another rebase (we're tackling with CI lately) |
|
rebased |
runc resolves symlink before doing bind mount. So we should save original path while formatting CriuReq for dump and restore. "checkpoint: resolve symlink for external bind mount" is merged as da22625(PR 2902) previously. And reverted in commit 70fdc05(PR 3043) duo to behavior changes caused by commit 0ca91f4(Fixes: CVE-2021-30465) Signed-off-by: Liu Hua <[email protected]>
|
@kolyshkin @cyphar @crosbymichael rebased, please take a look at this patch. |
cyphar
approved these changes
Sep 9, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[From @kolyshkin: This is a respin of #2902 which was reverted in #3043]
runc resolves symlink before doing bind mount. So
we should save original path while formatting CriuReq for
dump and restore.
"checkpoint: resolve symlink for external bind mount" is merged as
da22625 (PR #2902) previously. And reverted
in commit 70fdc05 (PR #3043) duo to behavior changes
caused by commit 0ca91f4 (Fixes: CVE-2021-30465)
Signed-off-by: Liu Hua [email protected]
Changelog entry
(by @kolyshkin)