Re: [PATCH 1/2] protect /sbin/init from unwanted signals more

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: ebiederm@xmission.com (Eric W. Biederman)
To: Roland McGrath <roland@redhat.com>
Cc: Oleg Nesterov <oleg@redhat.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Pavel Emelyanov <xemul@openvz.org>,
	"Serge E. Hallyn" <serue@us.ibm.com>,
	Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] protect /sbin/init from unwanted signals more
Date: Wed, 19 Nov 2008 18:00:12 -0800	[thread overview]
Message-ID: <m1skpncg2b.fsf@frodo.ebiederm.org> (raw)
In-Reply-To: <20081119185148.DC1D31544EB@magilla.localdomain> (Roland McGrath's message of "Wed, 19 Nov 2008 10:51:48 -0800 (PST)")

Roland McGrath <roland@redhat.com> writes:

> The effect is fine, but that seems like a kludgey way to do it.
> I really don't think the sigaction case matters--certainly it will never
> come up with SIGKILL.  What about just this instead?
>
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -66,6 +66,15 @@ static int sig_ignored(struct task_struct *t, int sig)
>  		return 0;
>  
>  	handler = sig_handler(t, sig);
> +
> +	/*
> +	 * For init, short-circuit any signal without a handler.
> +	 * We won't allow them to be delivered, so don't even queue them.
> +	 */
> +	if (unlikely(signal->flags & SIGNAL_UNKILLABLE) &&
> +	    (handler == SIG_IGN || handler == SIG_DFL))
> +		return 1;
> +
>  	if (!sig_handler_ignored(handler, sig))
>  		return 0;
>  
> With that, I wonder if the SIGNAL_UNKILLABLE checks in get_signal_to_deliver
> and complete_signal are needed at all.  Hmm, I guess we do because this
> doesn't affect blocked signals, so they might be unblocked and delivered.
> (Note that since it doesn't affect blocked signals, this doesn't break init
> using sigwait if it wanted to.)

Ah.  That answers the question I had bouncing in the back of my head.

My original analysis of the situation was that we should not send blocked signals.
Treating handler != SIG_DFL as a permission check.  Not as an optimization.

Mostly because it is more consistent and uniform.

inits today don't do anything with blocked signals.  They explicitly ignore all signals,
they don't want to deal with an enable those they do.

Which I guess means in practice only SIGKILL and SIGSTOP are especially interesting,
and we can't block those so worrying about blocked signals is no big deal.

Which reminds me.  I need to retest, but I had a case where I had a trivial init
that set all signal handlers to SIG_IGN so it could ignore SIGCHLD.  And not
all of it's children were getting reaped automagically.  Do we have a bug in
the reparenting/reaping logic?

Eric

next prev parent reply	other threads:[~2008-11-20  2:05 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-11-18 17:59 [PATCH 1/2] protect /sbin/init from unwanted signals more Oleg Nesterov
2008-11-19 18:51 ` Roland McGrath
2008-11-20  2:00   ` Eric W. Biederman [this message]
2008-11-20  3:04     ` Roland McGrath
2008-11-20 14:52     ` Oleg Nesterov
2008-11-20 18:10       ` Eric W. Biederman
2008-11-20 20:00         ` Oleg Nesterov
2008-11-20 20:28           ` [PATCH] processes: reparent_thread: don't call kill_orphaned_pgrp() if task_detached() Oleg Nesterov
2008-11-26 20:21             ` Roland McGrath
2008-12-04 17:14               ` Oleg Nesterov
2008-12-04  1:06             ` Roland McGrath
2008-11-20 15:20   ` [PATCH 1/2] protect /sbin/init from unwanted signals more Oleg Nesterov
2008-11-20 21:24     ` Oleg Nesterov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m1skpncg2b.fsf@frodo.ebiederm.org \
    --to=ebiederm@xmission.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=oleg@redhat.com \
    --cc=roland@redhat.com \
    --cc=serue@us.ibm.com \
    --cc=sukadev@linux.vnet.ibm.com \
    --cc=xemul@openvz.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox