Re: [PATCH/RFC] mount: improve signal management when locking mtab.

From: Chuck Lever <chuck.lever@oracle.com>
To: NeilBrown <neilb@suse.de>
Cc: Steve Dickson <SteveD@redhat.com>, linux-nfs@vger.kernel.org
Subject: Re: [PATCH/RFC] mount: improve signal management when locking mtab.
Date: Wed, 22 Jun 2011 09:08:25 -0600	[thread overview]
Message-ID: <B1677B7E-3A7E-418B-9CCA-0844510B59C8@oracle.com> (raw)
In-Reply-To: <20110622163852.71a2ae80@notabene.brown>

Since we are going to adopt libmount for mount.nfs in the near future, would it be better to update libmount instead?

On Jun 22, 2011, at 12:38 AM, NeilBrown wrote:

> 
> From: Neil Brown <neilb@suse.de>
> Date: Wed, 22 Jun 2011 16:15:45 +1000
> Subject: [PATCH] mount: improve signal management when locking mtab.
> 
> As mount.nfs can run setuid it must be careful about how the user can
> interact with in.  In particular it needs to ensure it does not
> respond badly to any signals that the user might be able to generate.
> 
> This is particularly an issue while updating /etc/mtab (when that is
> not linked to /proc/mounts).  If the user can generate a signal which
> kills mount.nfs while /etc/mtab is locked, then it will leave the file
> locked, and could possibly corrupt mtab (particularly if 'ulimit 1'
> was previously issued).
> 
> Currently lock_mtab does set some handlers for signals, but not
> enough.  It arranges for every signal up to (but not including)
> SIGCHLD to cause mount.nfs to unlock mdadm promptly exit ... even if
> the default behaviour would be to ignore the signal.  SIGALRM is
> handled specially, and signals after SIGCHLD are left with their
> default behaviour.  This includes for example SIGXFSZ which can be
> generated by the user running "ulimit 1".
> 
> So: change this so that some signals are left unchanged, SIGALRM is
> handled as required, and all signals that the user can generate are
> explicitly ignored.
> 
> The remainder still cause mount.nfs to print a message, unlock mtab, and exit.
> 
> Signed-off-by: NeilBrown <neilb@suse.de>
> ---
> utils/mount/fstab.c |   37 ++++++++++++++++++++++++++++++++-----
> 1 files changed, 32 insertions(+), 5 deletions(-)
> 
> diff --git a/utils/mount/fstab.c b/utils/mount/fstab.c
> index a742e64..1fc9efe 100644
> --- a/utils/mount/fstab.c
> +++ b/utils/mount/fstab.c
> @@ -331,16 +331,43 @@ lock_mtab (void) {
> 		int sig = 0;
> 		struct sigaction sa;
> 
> -		sa.sa_handler = handler;
> 		sa.sa_flags = 0;
> 		sigfillset (&sa.sa_mask);
> 
> -		while (sigismember (&sa.sa_mask, ++sig) != -1
> -		       && sig != SIGCHLD) {
> -			if (sig == SIGALRM)
> +		while (sigismember (&sa.sa_mask, ++sig) != -1) {
> +			switch(sig) {
> +			case SIGCHLD:
> +			case SIGKILL:
> +			case SIGCONT:
> +			case SIGSTOP:
> +				/* The cannot be caught, or should not,
> +				 * so don't even try.
> +				 */
> +				continue;
> +			case SIGALRM:
> 				sa.sa_handler = setlkw_timeout;
> -			else
> +				break;
> +			case SIGHUP:
> +			case SIGINT:
> +			case SIGQUIT:
> +			case SIGWINCH:
> +			case SIGTSTP:
> +			case SIGTTIN:
> +			case SIGTTOU:
> +			case SIGPIPE:
> +			case SIGXFSZ:
> +			case SIGXCPU:
> +				/* non-priv user can cause these to be
> +				 * generated, so ignore them.
> +				 */
> +				sa.sa_handler = SIG_IGN;
> +				break;
> +			default:
> +				/* The rest should not be possible, so just
> +				 * print a message and unlock mtab.
> +				 */
> 				sa.sa_handler = handler;
> +			}
> 			sigaction (sig, &sa, (struct sigaction *) 0);
> 		}
> 		signals_have_been_setup = 1;
> -- 
> 1.7.3.4
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com