Re: [PATCH 1/2] protect /sbin/init from unwanted signals more

All of lore.kernel.org
 help / color / mirror / Atom feed

From: ebiederm@xmission.com (Eric W. Biederman)
To: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Pavel Emelyanov <xemul@openvz.org>,
	"Serge E. Hallyn" <serue@us.ibm.com>,
	Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] protect /sbin/init from unwanted signals more
Date: Thu, 20 Nov 2008 10:10:08 -0800	[thread overview]
Message-ID: <m13ahm9slb.fsf@frodo.ebiederm.org> (raw)
In-Reply-To: <20081120145234.GA3325@redhat.com> (Oleg Nesterov's message of "Thu, 20 Nov 2008 15:52:34 +0100")

Oleg Nesterov <oleg@redhat.com> writes:

> On 11/19, Eric W. Biederman wrote:
>>
>> Roland McGrath <roland@redhat.com> writes:
>>
>> > With that, I wonder if the SIGNAL_UNKILLABLE checks in get_signal_to_deliver
>> > and complete_signal are needed at all.  Hmm, I guess we do because this
>> > doesn't affect blocked signals, so they might be unblocked and delivered.
>> > (Note that since it doesn't affect blocked signals, this doesn't break init
>> > using sigwait if it wanted to.)
>>
>> Ah.  That answers the question I had bouncing in the back of my head.
>
> Even worse. The signal can be dequeued even before unblocked by the target.
> complete_signal() can "redirect" this signal to another thread wich doesn't
> block it.

The signal handlers should still be the same.

>> My original analysis of the situation was that we should not send blocked
> signals.
>> Treating handler != SIG_DFL as a permission check.  Not as an optimization.
>>
>> Mostly because it is more consistent and uniform.
>>
>> inits today don't do anything with blocked signals.
>
> (I guess you mean "with blocked SIG_DFL signals", otherwise this is
>  too strong ;)

Could be.

> If init does exec and do not want to miss (say) SIGCHLD, the only option
> is to block it before exec. And right after exec the handler is SIG_DFL.

Interesting point.

>> They explicitly ignore all signals,
>> they don't want to deal with an enable those they do.
>
> I do remember I had the (unrelated) bugreport which in particular showed
> that user-space sends SIGUSR1 to init. Usually init has a handler and does
> something in responce, but sometimes the handler is SIG_DFL. I don't
> remember the distribution, ubuntu iirc.

Could be.  I have to follow up on what craziness upstart is doing.
So my information is a bit dated.

> Yes, this perhaps means init is not perfect, but still.
>
>> Which reminds me.  I need to retest, but I had a case where I had a trivial
> init
>> that set all signal handlers to SIG_IGN so it could ignore SIGCHLD.  And not
>> all of it's children were getting reaped automagically.  Do we have a bug in
>> the reparenting/reaping logic?
>
> Ah... I thought this was already fixed... shouldn't reparent_thread()
> check task_detached() after do_notify() ? like ptrace_exit() does.

Like I said I need to retest.  I was on a 2.6.26 fedora kernel base.
So if there have been recent bug fixes things may have changed.

Eric

next prev parent reply	other threads:[~2008-11-20 18:16 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-11-18 17:59 [PATCH 1/2] protect /sbin/init from unwanted signals more Oleg Nesterov
2008-11-19 18:51 ` Roland McGrath
2008-11-20  2:00   ` Eric W. Biederman
2008-11-20  3:04     ` Roland McGrath
2008-11-20 14:52     ` Oleg Nesterov
2008-11-20 18:10       ` Eric W. Biederman [this message]
2008-11-20 20:00         ` Oleg Nesterov
2008-11-20 20:28           ` [PATCH] processes: reparent_thread: don't call kill_orphaned_pgrp() if task_detached() Oleg Nesterov
2008-11-26 20:21             ` Roland McGrath
2008-12-04 17:14               ` Oleg Nesterov
2008-12-04  1:06             ` Roland McGrath
2008-11-20 15:20   ` [PATCH 1/2] protect /sbin/init from unwanted signals more Oleg Nesterov
2008-11-20 21:24     ` Oleg Nesterov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m13ahm9slb.fsf@frodo.ebiederm.org \
    --to=ebiederm@xmission.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=oleg@redhat.com \
    --cc=roland@redhat.com \
    --cc=serue@us.ibm.com \
    --cc=sukadev@linux.vnet.ibm.com \
    --cc=xemul@openvz.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.