From: benjamin@sipsolutions.net
To: linux-um@lists.infradead.org
Cc: Benjamin Berg <benjamin@sipsolutions.net>
Subject: [PATCH v2 26/28] um: Die if a child dies unexpectedly in seccomp mode
Date: Tue, 22 Nov 2022 11:07:57 +0100 [thread overview]
Message-ID: <20221122100759.208290-27-benjamin@sipsolutions.net> (raw)
In-Reply-To: <20221122100759.208290-1-benjamin@sipsolutions.net>
From: Benjamin Berg <benjamin@sipsolutions.net>
When in seccomp mode, we would hang forever on the futex if a child has
died unexpectedly. In contrast, ptrace mode will notice it and kill the
corresponding thread when it fails to run it.
Fix this issue by simply printing a message and aborting. In this case
something from the outside (e.g. OOM killer) has interferred with the
machine and it is reasonable to not try to recover.
Signed-off-by: Benjamin Berg <benjamin@sipsolutions.net>
---
arch/um/include/shared/os.h | 1 +
arch/um/os-Linux/process.c | 40 +++++++++++++++++++++++++++++++++++++
arch/um/os-Linux/signal.c | 7 +++++++
3 files changed, 48 insertions(+)
diff --git a/arch/um/include/shared/os.h b/arch/um/include/shared/os.h
index d1f1dedad83b..07683f45d7e1 100644
--- a/arch/um/include/shared/os.h
+++ b/arch/um/include/shared/os.h
@@ -192,6 +192,7 @@ extern void get_host_cpu_features(
extern int create_mem_file(unsigned long long len);
/* process.c */
+void os_check_child_lost(void);
extern unsigned long os_process_pc(int pid);
extern int os_process_parent(int pid);
extern void os_alarm_process(int pid);
diff --git a/arch/um/os-Linux/process.c b/arch/um/os-Linux/process.c
index e52dd37ddadc..db98fc79d9e2 100644
--- a/arch/um/os-Linux/process.c
+++ b/arch/um/os-Linux/process.c
@@ -17,6 +17,7 @@
#include <init.h>
#include <longjmp.h>
#include <os.h>
+#include <skas/skas.h>
#define ARBITRARY_ADDR -1
#define FAILURE_PID -1
@@ -102,9 +103,18 @@ void os_stop_process(int pid)
void os_kill_process(int pid, int reap_child)
{
+ sigset_t chld;
+
+ /* Block SIGCHLD so that we can reap it before the handler runs. */
+ sigemptyset(&chld);
+ sigaddset(&chld, SIGCHLD);
+ sigprocmask(SIG_BLOCK, &chld, NULL);
+
kill(pid, SIGKILL);
if (reap_child)
CATCH_EINTR(waitpid(pid, NULL, __WALL));
+
+ sigprocmask(SIG_UNBLOCK, &chld, NULL);
}
/* Kill off a ptraced child by all means available. kill it normally first,
@@ -114,11 +124,39 @@ void os_kill_process(int pid, int reap_child)
void os_kill_ptraced_process(int pid, int reap_child)
{
+ sigset_t chld;
+
+ /* Block SIGCHLD so that we can reap it before the handler runs. */
+ sigemptyset(&chld);
+ sigaddset(&chld, SIGCHLD);
+ sigprocmask(SIG_BLOCK, &chld, NULL);
+
kill(pid, SIGKILL);
ptrace(PTRACE_KILL, pid);
ptrace(PTRACE_CONT, pid);
if (reap_child)
CATCH_EINTR(waitpid(pid, NULL, __WALL));
+
+ sigprocmask(SIG_UNBLOCK, &chld, NULL);
+}
+
+void os_check_child_lost(void)
+{
+ int status;
+ pid_t pid;
+
+ /*
+ * Check if we can reap a child.
+ * Any expected kills will clean up without this handler being fired.
+ */
+ pid = waitpid(-1, &status, WNOHANG);
+ if (pid <= 0)
+ return;
+
+ os_warn("Child %d died unexpectedly with status %d, cannot recover in seccomp mode!\r\n",
+ pid, status);
+ /* Kill ourselves including all children. */
+ killpg(os_getpid(), SIGABRT);
}
/* Don't use the glibc version, which caches the result in TLS. It misses some
@@ -283,5 +321,7 @@ void init_new_thread_signals(void)
set_handler(SIGBUS);
signal(SIGHUP, SIG_IGN);
set_handler(SIGIO);
+ if (using_seccomp)
+ set_handler(SIGCHLD);
signal(SIGWINCH, SIG_IGN);
}
diff --git a/arch/um/os-Linux/signal.c b/arch/um/os-Linux/signal.c
index 24a403a70a02..d8c92e04c873 100644
--- a/arch/um/os-Linux/signal.c
+++ b/arch/um/os-Linux/signal.c
@@ -108,6 +108,11 @@ static void timer_real_alarm_handler(mcontext_t *mc)
timer_handler(SIGALRM, NULL, ®s);
}
+static void sig_child_handler(int sig, struct siginfo *unused_si, mcontext_t *mc)
+{
+ os_check_child_lost();
+}
+
void timer_alarm_handler(int sig, struct siginfo *unused_si, mcontext_t *mc)
{
int enabled;
@@ -169,6 +174,8 @@ static void (*handlers[_NSIG])(int sig, struct siginfo *si, mcontext_t *mc) = {
[SIGIO] = sig_handler,
[SIGWINCH] = sig_handler,
+ /* SIGCHLD is only registered in seccomp mode. */
+ [SIGCHLD] = sig_child_handler,
[SIGALRM] = timer_alarm_handler,
[SIGUSR1] = sigusr1_handler,
--
2.38.1
_______________________________________________
linux-um mailing list
linux-um@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-um
next prev parent reply other threads:[~2022-11-22 10:11 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-22 10:07 [PATCH v2 00/28] Implement SECCOMP based userland benjamin
2022-11-22 10:07 ` [PATCH v2 01/28] um: Switch printk calls to adhere to correct coding style benjamin
2022-11-22 10:07 ` [PATCH v2 02/28] um: Declare fix_range_common as a static function benjamin
2022-11-22 10:07 ` [PATCH v2 03/28] um: Drop support for hosts without SYSEMU_SINGLESTEP support benjamin
2022-11-22 10:07 ` [PATCH v2 04/28] um: Drop NULL check from start_userspace benjamin
2022-11-22 10:07 ` [PATCH v2 05/28] um: Make errors to stop ptraced child fatal during startup benjamin
2022-11-22 10:07 ` [PATCH v2 06/28] um: Don't use vfprintf() for os_info() benjamin
2022-11-22 10:07 ` [PATCH v2 07/28] um: Do not use printk in SIGWINCH helper thread benjamin
2022-11-22 10:07 ` [PATCH v2 08/28] um: Reap winch thread if it fails benjamin
2022-11-22 10:07 ` [PATCH v2 09/28] um: Do not use printk in userspace trampoline benjamin
2022-11-22 10:07 ` [PATCH v2 10/28] um: Always inline stub functions benjamin
2022-11-22 10:07 ` [PATCH v2 11/28] um: Rely on PTRACE_SETREGSET to set FS/GS base registers benjamin
2022-11-22 10:07 ` [PATCH v2 12/28] um: Remove unused register save/restore functions benjamin
2022-11-22 10:07 ` [PATCH v2 13/28] um: Mark 32bit syscall helpers as clobbering memory benjamin
2022-11-22 10:07 ` [PATCH v2 14/28] um: Remove stub-data.h include from common-offsets.h benjamin
2022-11-22 10:07 ` [PATCH v2 15/28] um: Create signal stack memory assignment in stub_data benjamin
2022-11-22 10:07 ` [PATCH v2 16/28] um: Add generic stub_syscall6 function benjamin
2022-11-22 10:07 ` [PATCH v2 17/28] um: Rework syscall handling benjamin
2022-11-22 10:07 ` [PATCH v2 18/28] um: Store full CSGSFS and SS register from mcontext benjamin
2022-11-22 10:07 ` [PATCH v2 19/28] um: Pass full mm_id to functions creating helper processes benjamin
2022-11-22 10:07 ` [PATCH v2 20/28] um: Move faultinfo extraction into userspace routine benjamin
2022-11-22 10:07 ` [PATCH v2 21/28] um: Use struct uml_pt_regs for copy_context_skas0 benjamin
2022-11-22 10:07 ` [PATCH v2 22/28] um: Add UML_SECCOMP configuration option benjamin
2022-11-22 10:07 ` [PATCH v2 23/28] um: Add stub side of SECCOMP/futex based process handling benjamin
2022-11-22 10:07 ` [PATCH v2 24/28] um: Add helper functions to get/set state for SECCOMP benjamin
2022-11-22 10:07 ` [PATCH v2 25/28] um: Add SECCOMP support detection and initialization benjamin
2022-11-22 10:07 ` benjamin [this message]
2022-11-22 10:07 ` [PATCH v2 27/28] um: Implement kernel side of SECCOMP based process handling benjamin
2022-11-22 10:07 ` [PATCH v2 28/28] um: Delay flushing syscalls until the thread is restarted benjamin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221122100759.208290-27-benjamin@sipsolutions.net \
--to=benjamin@sipsolutions.net \
--cc=linux-um@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).