From: Benjamin Berg <benjamin@sipsolutions.net>
To: linux-um@lists.infradead.org
Cc: Benjamin Berg <benjamin@sipsolutions.net>
Subject: [PATCH 25/27] um: Die if a child dies unexpectedly in seccomp mode
Date: Wed, 3 Mar 2021 16:55:21 +0100 [thread overview]
Message-ID: <20210303155523.124277-26-benjamin@sipsolutions.net> (raw)
In-Reply-To: <20210303155523.124277-1-benjamin@sipsolutions.net>
When in seccomp mode, we would hang forever on the futex if a child has
died unexpectedly. In contrast, ptrace mode will notice it and kill the
corresponding thread when it fails to run it.
Fix this issue by simply printing a message and aborting. In this case
something from the outside (e.g. OOM killer) has interferred with the
machine and it is reasonable to not try to recover.
Signed-off-by: Benjamin Berg <benjamin@sipsolutions.net>
---
arch/um/include/shared/os.h | 1 +
arch/um/os-Linux/process.c | 40 +++++++++++++++++++++++++++++++++++++
arch/um/os-Linux/signal.c | 7 +++++++
3 files changed, 48 insertions(+)
diff --git a/arch/um/include/shared/os.h b/arch/um/include/shared/os.h
index 8514d90cd5fa..283e95731d6f 100644
--- a/arch/um/include/shared/os.h
+++ b/arch/um/include/shared/os.h
@@ -192,6 +192,7 @@ extern void check_host_supports_tls(int *supports_tls, int *tls_min);
extern int create_mem_file(unsigned long long len);
/* process.c */
+void os_check_child_lost(void);
extern unsigned long os_process_pc(int pid);
extern int os_process_parent(int pid);
extern void os_alarm_process(int pid);
diff --git a/arch/um/os-Linux/process.c b/arch/um/os-Linux/process.c
index e52dd37ddadc..db98fc79d9e2 100644
--- a/arch/um/os-Linux/process.c
+++ b/arch/um/os-Linux/process.c
@@ -17,6 +17,7 @@
#include <init.h>
#include <longjmp.h>
#include <os.h>
+#include <skas/skas.h>
#define ARBITRARY_ADDR -1
#define FAILURE_PID -1
@@ -102,9 +103,18 @@ void os_stop_process(int pid)
void os_kill_process(int pid, int reap_child)
{
+ sigset_t chld;
+
+ /* Block SIGCHLD so that we can reap it before the handler runs. */
+ sigemptyset(&chld);
+ sigaddset(&chld, SIGCHLD);
+ sigprocmask(SIG_BLOCK, &chld, NULL);
+
kill(pid, SIGKILL);
if (reap_child)
CATCH_EINTR(waitpid(pid, NULL, __WALL));
+
+ sigprocmask(SIG_UNBLOCK, &chld, NULL);
}
/* Kill off a ptraced child by all means available. kill it normally first,
@@ -114,11 +124,39 @@ void os_kill_process(int pid, int reap_child)
void os_kill_ptraced_process(int pid, int reap_child)
{
+ sigset_t chld;
+
+ /* Block SIGCHLD so that we can reap it before the handler runs. */
+ sigemptyset(&chld);
+ sigaddset(&chld, SIGCHLD);
+ sigprocmask(SIG_BLOCK, &chld, NULL);
+
kill(pid, SIGKILL);
ptrace(PTRACE_KILL, pid);
ptrace(PTRACE_CONT, pid);
if (reap_child)
CATCH_EINTR(waitpid(pid, NULL, __WALL));
+
+ sigprocmask(SIG_UNBLOCK, &chld, NULL);
+}
+
+void os_check_child_lost(void)
+{
+ int status;
+ pid_t pid;
+
+ /*
+ * Check if we can reap a child.
+ * Any expected kills will clean up without this handler being fired.
+ */
+ pid = waitpid(-1, &status, WNOHANG);
+ if (pid <= 0)
+ return;
+
+ os_warn("Child %d died unexpectedly with status %d, cannot recover in seccomp mode!\r\n",
+ pid, status);
+ /* Kill ourselves including all children. */
+ killpg(os_getpid(), SIGABRT);
}
/* Don't use the glibc version, which caches the result in TLS. It misses some
@@ -283,5 +321,7 @@ void init_new_thread_signals(void)
set_handler(SIGBUS);
signal(SIGHUP, SIG_IGN);
set_handler(SIGIO);
+ if (using_seccomp)
+ set_handler(SIGCHLD);
signal(SIGWINCH, SIG_IGN);
}
diff --git a/arch/um/os-Linux/signal.c b/arch/um/os-Linux/signal.c
index 96f511d1aabe..d04b39bace53 100644
--- a/arch/um/os-Linux/signal.c
+++ b/arch/um/os-Linux/signal.c
@@ -94,6 +94,11 @@ static void timer_real_alarm_handler(mcontext_t *mc)
timer_handler(SIGALRM, NULL, ®s);
}
+static void sig_child_handler(int sig, struct siginfo *unused_si, mcontext_t *mc)
+{
+ os_check_child_lost();
+}
+
void timer_alarm_handler(int sig, struct siginfo *unused_si, mcontext_t *mc)
{
int enabled;
@@ -155,6 +160,8 @@ static void (*handlers[_NSIG])(int sig, struct siginfo *si, mcontext_t *mc) = {
[SIGIO] = sig_handler,
[SIGWINCH] = sig_handler,
+ /* SIGCHLD is only registered in seccomp mode. */
+ [SIGCHLD] = sig_child_handler,
[SIGALRM] = timer_alarm_handler,
[SIGUSR1] = sigusr1_handler,
--
2.29.2
_______________________________________________
linux-um mailing list
linux-um@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-um
next prev parent reply other threads:[~2021-03-03 16:01 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-03 15:54 [PATCH 00/27] Implement SECCOMP based userland Benjamin Berg
2021-03-03 15:54 ` [PATCH 01/27] um: Switch printk calls to adhere to correct coding style Benjamin Berg
2021-03-03 15:54 ` [PATCH 02/27] um: Declare fix_range_common as a static function Benjamin Berg
2021-03-03 15:54 ` [PATCH 03/27] um: Drop support for hosts without SYSEMU_SINGLESTEP support Benjamin Berg
2021-06-19 20:17 ` Richard Weinberger
2021-06-20 12:05 ` Benjamin Berg
2021-03-03 15:55 ` [PATCH 04/27] um: Drop NULL check from start_userspace Benjamin Berg
2021-03-03 15:55 ` [PATCH 05/27] um: Make errors to stop ptraced child fatal during startup Benjamin Berg
2021-03-03 15:55 ` [PATCH 06/27] um: Don't use vfprintf() for os_info() Benjamin Berg
2021-03-03 15:55 ` [PATCH 07/27] um: Do not use printk in SIGWINCH helper thread Benjamin Berg
2021-03-03 15:55 ` [PATCH 08/27] um: Reap winch thread if it fails Benjamin Berg
2021-03-03 15:55 ` [PATCH 09/27] um: Do not use printk in userspace trampoline Benjamin Berg
2021-03-03 15:55 ` [PATCH 10/27] um: Always inline stub functions Benjamin Berg
2021-03-03 15:55 ` [PATCH 11/27] um: Rely on PTRACE_SETREGSET to set FS/GS base registers Benjamin Berg
2021-03-03 15:55 ` [PATCH 12/27] um: Remove unused register save/restore functions Benjamin Berg
2021-03-03 15:55 ` [PATCH 13/27] um: Mark 32bit syscall helpers as clobbering memory Benjamin Berg
2021-03-03 15:55 ` [PATCH 14/27] um: Create signal stack memory assignment in stub_data Benjamin Berg
2021-03-03 15:55 ` [PATCH 15/27] um: Add generic stub_syscall6 function Benjamin Berg
2021-03-03 15:55 ` [PATCH 16/27] um: Rework syscall handling Benjamin Berg
2021-03-03 15:55 ` [PATCH 17/27] um: Store full CSGSFS and SS register from mcontext Benjamin Berg
2021-03-03 15:55 ` [PATCH 18/27] um: Pass full mm_id to functions creating helper processes Benjamin Berg
2021-03-03 15:55 ` [PATCH 19/27] um: Move faultinfo extraction into userspace routine Benjamin Berg
2021-03-03 15:55 ` [PATCH 20/27] um: Use struct uml_pt_regs for copy_context_skas0 Benjamin Berg
2021-03-03 15:55 ` [PATCH 21/27] um: Add UML_SECCOMP configuration option Benjamin Berg
2021-03-03 15:55 ` [PATCH 22/27] um: Add stub side of SECCOMP/futex based process handling Benjamin Berg
2021-03-03 15:55 ` [PATCH 23/27] um: Add helper functions to get/set state for SECCOMP Benjamin Berg
2021-03-03 15:55 ` [PATCH 24/27] um: Add SECCOMP support detection and initialization Benjamin Berg
2021-03-03 15:55 ` Benjamin Berg [this message]
2021-03-03 15:55 ` [PATCH 26/27] um: Implement kernel side of SECCOMP based process handling Benjamin Berg
2021-03-03 15:55 ` [PATCH 27/27] um: Delay flushing syscalls until the thread is restarted Benjamin Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210303155523.124277-26-benjamin@sipsolutions.net \
--to=benjamin@sipsolutions.net \
--cc=linux-um@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).