aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>2009-04-02 19:58:08 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2009-04-02 22:04:58 -0400
commitb3bfa0cba867f23365b81658b47efd906830879b (patch)
treee54d9a9c4c23fc00bb2ff3ed57ef5317a0660ea5
parente4da026f980df125a4918c3bb9fe93185c7ef12a (diff)
signals: protect cinit from blocked fatal signals
Normally SIG_DFL signals to global and container-init are dropped early. But if a signal is blocked when it is posted, we cannot drop the signal since the receiver may install a handler before unblocking the signal. Once this signal is queued however, the receiver container-init has no way of knowing if the signal was sent from an ancestor or descendant namespace. This patch ensures that contianer-init drops all SIG_DFL signals in get_signal_to_deliver() except SIGKILL/SIGSTOP. If SIGSTOP/SIGKILL originate from a descendant of container-init they are never queued (i.e dropped in sig_ignored() in an earler patch). If SIGSTOP/SIGKILL originate from parent namespace, the signal is queued and container-init processes the signal. IOW, if get_signal_to_deliver() sees a sig_kernel_only() signal for global or container-init, the signal must have been generated internally or must have come from an ancestor ns and we process the signal. Further, the signal_group_exit() check was needed to cover the case of a multi-threaded init sending SIGKILL to other threads when doing an exit() or exec(). But since the new sig_kernel_only() check covers the SIGKILL, the signal_group_exit() check is no longer needed and can be removed. Finally, now that we have all pieces in place, set SIGNAL_UNKILLABLE for container-inits. Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com> Cc: Oleg Nesterov <oleg@tv-sign.ru> Cc: Roland McGrath <roland@redhat.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Daniel Lezcano <daniel.lezcano@free.fr> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--kernel/fork.c2
-rw-r--r--kernel/signal.c9
2 files changed, 10 insertions, 1 deletions
diff --git a/kernel/fork.c b/kernel/fork.c
index d7eb727eb535..adbea16ec649 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -841,6 +841,8 @@ static int copy_signal(unsigned long clone_flags, struct task_struct *tsk)
841 atomic_set(&sig->live, 1); 841 atomic_set(&sig->live, 1);
842 init_waitqueue_head(&sig->wait_chldexit); 842 init_waitqueue_head(&sig->wait_chldexit);
843 sig->flags = 0; 843 sig->flags = 0;
844 if (clone_flags & CLONE_NEWPID)
845 sig->flags |= SIGNAL_UNKILLABLE;
844 sig->group_exit_code = 0; 846 sig->group_exit_code = 0;
845 sig->group_exit_task = NULL; 847 sig->group_exit_task = NULL;
846 sig->group_stop_count = 0; 848 sig->group_stop_count = 0;
diff --git a/kernel/signal.c b/kernel/signal.c
index fb19aae2363b..ba3da25f0eea 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1870,9 +1870,16 @@ relock:
1870 1870
1871 /* 1871 /*
1872 * Global init gets no signals it doesn't want. 1872 * Global init gets no signals it doesn't want.
1873 * Container-init gets no signals it doesn't want from same
1874 * container.
1875 *
1876 * Note that if global/container-init sees a sig_kernel_only()
1877 * signal here, the signal must have been generated internally
1878 * or must have come from an ancestor namespace. In either
1879 * case, the signal cannot be dropped.
1873 */ 1880 */
1874 if (unlikely(signal->flags & SIGNAL_UNKILLABLE) && 1881 if (unlikely(signal->flags & SIGNAL_UNKILLABLE) &&
1875 !signal_group_exit(signal)) 1882 !sig_kernel_only(signr))
1876 continue; 1883 continue;
1877 1884
1878 if (sig_kernel_stop(signr)) { 1885 if (sig_kernel_stop(signr)) {