memfd_secret: add memfd_secret file support

See "man 2 memfd_secret".

Fixes: checkpoint-restore#2188

Signed-off-by: Dhanuka Warusadura <[email protected]>

Author: warusadura

criu/Makefile.crtools

@@ -40,6 +40,7 @@ obj-y			+= log.o
 obj-y			+= lsm.o
 obj-y			+= mem.o
 obj-y			+= memfd.o
+obj-y                   += memfd-secret.o
 obj-y			+= mount.o
 obj-y			+= mount-v2.o
 obj-y			+= filesystems.o

criu/cr-check.c

@@ -1340,6 +1340,14 @@ static int check_memfd_hugetlb(void)
 	return 0;
 }
 
+static int check_memfd_secret(void)
+{
+	if (!kdat.has_memfd_secret)
+		return -1;
+
+	return 0;
+}
+
 static int check_network_lock_nftables(void)
 {
 	if (!kdat.has_nftables_concat) {
@@ -1502,6 +1510,7 @@ int cr_check(void)
 		ret |= check_openat2();
 		ret |= check_ptrace_get_rseq_conf();
 		ret |= check_ipv6_freebind();
+		ret |= check_memfd_secret();
 
 		if (kdat.lsm == LSMTYPE__APPARMOR)
 			ret |= check_apparmor_stacking();
@@ -1623,6 +1632,7 @@ static struct feature_list feature_list[] = {
 	{ "openat2", check_openat2 },
 	{ "get_rseq_conf", check_ptrace_get_rseq_conf },
 	{ "ipv6_freebind", check_ipv6_freebind },
+	{ "memfd_secret", check_memfd_secret },
 	{ NULL, NULL },
 };
 

criu/cr-restore.c

@@ -79,6 +79,7 @@
 #include "timens.h"
 #include "bpfmap.h"
 #include "apparmor.h"
+#include "memfd-secret.h"
 
 #include "parasite-syscall.h"
 #include "files-reg.h"
@@ -279,7 +280,7 @@ static struct collect_image_info *cinfos_files[] = {
 	&unix_sk_cinfo,	      &fifo_cinfo,     &pipe_cinfo,    &nsfile_cinfo,	    &packet_sk_cinfo,
 	&netlink_sk_cinfo,    &eventfd_cinfo,  &epoll_cinfo,   &epoll_tfd_cinfo,    &signalfd_cinfo,
 	&tunfile_cinfo,	      &timerfd_cinfo,  &inotify_cinfo, &inotify_mark_cinfo, &fanotify_cinfo,
-	&fanotify_mark_cinfo, &ext_file_cinfo, &memfd_cinfo,
+	&fanotify_mark_cinfo, &ext_file_cinfo, &memfd_cinfo,   &memfd_secret_cinfo,
 };
 
 /* These images are required to restore namespaces */

criu/files.c

@@ -49,6 +49,7 @@
 #include "kerndat.h"
 #include "fdstore.h"
 #include "bpfmap.h"
+#include "memfd-secret.h"
 
 #include "protobuf.h"
 #include "util.h"
@@ -563,6 +564,9 @@ static int dump_one_file(struct pid *pid, int fd, int lfd, struct fd_opts *opts,
 		/* TODO: Dump for hugetlb fd when memfd hugetlb is not supported */
 		if (is_memfd(p.stat.st_dev) || (kdat.has_memfd_hugetlb && is_hugetlb_dev(p.stat.st_dev, NULL)))
 			ops = &memfd_dump_ops;
+		/* memfd_secret */
+		else if (is_memfd_secret(p.stat.st_dev) && kdat.has_memfd_secret)
+			ops = &memfd_secret_dump_ops;
 		else if (link.name[1] == '/')
 			ops = &regfile_dump_ops;
 		else if (check_ns_proc(&link))
@@ -1778,6 +1782,9 @@ static int collect_one_file(void *o, ProtobufCMessage *base, struct cr_img *i)
 	case FD_TYPES__MEMFD:
 		ret = collect_one_file_entry(fe, fe->memfd->id, &fe->memfd->base, &memfd_cinfo);
 		break;
+	case FD_TYPES__MEMFD_SECRET:
+		ret = collect_one_file_entry(fe, fe->memfd_secret->id, &fe->memfd_secret->base, &memfd_secret_cinfo);
+		break;
 #ifdef CONFIG_HAS_LIBBPF
 	case FD_TYPES__BPFMAP:
 		ret = collect_one_file_entry(fe, fe->bpf->id, &fe->bpf->base, &bpfmap_cinfo);

criu/image-desc.c

@@ -29,6 +29,7 @@ struct cr_fd_desc_tmpl imgset_template[CR_FD_MAX] = {
 	FD_ENTRY(FDINFO,	"fdinfo-%u"),
 	FD_ENTRY(PAGEMAP,	"pagemap-%lu"),
 	FD_ENTRY(SHMEM_PAGEMAP,	"pagemap-shmem-%lu"),
+        FD_ENTRY(SECRETMEM_PAGEMAP, "pagemap-secretmem-%lu"),
 	FD_ENTRY(REG_FILES,	"reg-files"),
 	FD_ENTRY(EXT_FILES,	"ext-files"),
 	FD_ENTRY(NS_FILES,	"ns-files"),
@@ -67,6 +68,7 @@ struct cr_fd_desc_tmpl imgset_template[CR_FD_MAX] = {
 	FD_ENTRY(REMAP_FPATH,	"remap-fpath"),
 	FD_ENTRY_F(GHOST_FILE,	"ghost-file-%x", O_NOBUF),
 	FD_ENTRY_F(MEMFD_INODE,	"memfd", O_NOBUF),
+        FD_ENTRY_F(MEMFD_SECRET_INODE, "memfd-secret", O_NOBUF),
 	FD_ENTRY(TCP_STREAM,	"tcp-stream-%x"),
 	FD_ENTRY(MNTS,		"mountpoints-%u"),
 	FD_ENTRY(NETDEV,	"netdev-%u"),

criu/include/image-desc.h

@@ -52,6 +52,7 @@ enum {
 
 	CR_FD_PSTREE,
 	CR_FD_SHMEM_PAGEMAP,
+	CR_FD_SECRETMEM_PAGEMAP,
 	CR_FD_GHOST_FILE,
 	CR_FD_TCP_STREAM,
 	CR_FD_FDINFO,
@@ -69,6 +70,7 @@ enum {
 	CR_FD_SECCOMP,
 	CR_FD_APPARMOR,
 	CR_FD_MEMFD_INODE,
+	CR_FD_MEMFD_SECRET_INODE,
 	CR_FD_BPFMAP_FILE,
 	CR_FD_BPFMAP_DATA,
 	_CR_FD_GLOB_TO,
@@ -113,6 +115,7 @@ enum {
 	CR_FD_PIPES,
 	CR_FD_TTY_FILES,
 	CR_FD_MEMFD_FILE,
+	CR_FD_MEMFD_SECRET_FILE,
 
 	CR_FD_AUTOFS,
 

criu/include/image.h

@@ -84,6 +84,7 @@
 #define VMA_AREA_VVAR	 (1 << 12)
 #define VMA_AREA_AIORING (1 << 13)
 #define VMA_AREA_MEMFD	 (1 << 14)
+#define VMA_AREA_MEMFD_SECRET (1 << 15)
 
 #define VMA_EXT_PLUGIN	  (1 << 27)
 #define VMA_CLOSE	  (1 << 28)

criu/include/kerndat.h

@@ -34,11 +34,13 @@ enum loginuid_func {
 struct kerndat_s {
 	u32 magic1, magic2;
 	dev_t shmem_dev;
+	dev_t secretmem_dev;
 	int last_cap;
 	u64 zero_page_pfn;
 	bool has_dirty_track;
 	bool has_memfd;
 	bool has_memfd_hugetlb;
+	bool has_memfd_secret;
 	bool has_fdinfo_lock;
 	unsigned long task_size;
 	bool ipv6;

criu/include/magic.h

@@ -37,6 +37,7 @@
 #define FDINFO_MAGIC	     0x56213732 /* Dmitrov */
 #define PAGEMAP_MAGIC	     0x56084025 /* Vladimir */
 #define SHMEM_PAGEMAP_MAGIC  PAGEMAP_MAGIC
+#define SECRETMEM_PAGEMAP_MAGIC	 PAGEMAP_MAGIC
 #define PAGES_MAGIC	     RAW_IMAGE_MAGIC
 #define CORE_MAGIC	     0x55053847 /* Kolomna */
 #define IDS_MAGIC	     0x54432030 /* Konigsberg */
@@ -95,6 +96,7 @@
 #define AUTOFS_MAGIC	     0x49353943 /* Sochi */
 #define FILES_MAGIC	     0x56303138 /* Toropets */
 #define MEMFD_INODE_MAGIC    0x48453499 /* Dnipro */
+#define MEMFD_SECRET_INODE_MAGIC 0x44573468 /* Simferopol */
 #define TIMENS_MAGIC	     0x43114433 /* Beslan */
 #define PIDNS_MAGIC	     0x61157326 /* Surgut */
 #define BPFMAP_FILE_MAGIC    0x57506142 /* Alapayevsk */

criu/include/memfd-secret.h

@@ -0,0 +1,25 @@
+#ifndef __CR_MEMFD_SECRET_H__
+#define __CR_MEMFD_SECRET_H__
+
+#include <sys/types.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include "common/config.h"
+
+extern int is_memfd_secret(dev_t dev);
+extern const struct fdtype_ops memfd_secret_dump_ops;
+extern struct collect_image_info memfd_secret_cinfo;
+
+static inline int memfd_secret(unsigned int flags)
+{
+#ifdef __NR_memfd_secret
+	return syscall(__NR_memfd_secret, flags);
+#else
+	errno = ENOSYS;
+	return -1;
+#endif /* __NR_memfd_secret */
+}
+
+#endif /* __CR_MEMFD_SECRET_H__ */