restore: Allow dropping extra caps in unprivileged mode.

If running unprivileged warn if the check fails, error out otherwise. Signed-off-by: Michał Mirosław <[email protected]>
checkpoint-restore · Jul 19, 2023 · 17cd778 · 17cd778
1 parent 541856d
commit 17cd778
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/criu/cr-restore.c b/criu/cr-restore.c
@@ -3363,8 +3363,16 @@ static int copy_caps(u32 *out_caps, u32 *in_caps, int n_words)
 		if (~in_caps[i / 32] & (1 << (i % 32)))
 			continue;
 
-		pr_err("Can't restore capability %d > min(kernel=%d, criu=%d)", i, kdat.last_cap, 32 * CR_CAP_SIZE - 1);
-		return -EPERM;
+		if (!opts.unprivileged) {
+			pr_err("Can't restore capability %d > min(kernel=%d, criu=%d)", i, kdat.last_cap, 32 * CR_CAP_SIZE - 1);
+			return -EPERM;
+		}
+		/*
+		 * For unprivileged restore case, we allow the restore to happen in a differently-constrained
+		 * container, leaving checking the validity of dropping unsupported caps to the container runtime.
+		 */
+		pr_warn("Can't restore capability %d > min(kernel=%d, criu=%d)", i, kdat.last_cap, 32 * CR_CAP_SIZE - 1);
+		in_caps[i / 32] &= ~(1 << (i % 32));
 	}
 
 	n_words = min(n_words, (last_cap + 31) / 32);