[C/R PATCH] reject checkpoint of fd subject to F_SETSIG
Serge Hallyn
serge.hallyn at canonical.com
Mon May 2 11:54:48 PDT 2011
Quoting Nathan Lynch (ntl at pobox.com):
> On Mon, 2011-05-02 at 08:18 -0500, Serge Hallyn wrote:
> > Quoting Nathan Lynch (ntl at pobox.com):
> > > Similar to our handling of fds that have been subject to F_SETOWN,
> > > detect when an fd has had its f_owner->signum changed from the
> > > default.
> > >
> > > Signed-off-by: Nathan Lynch <ntl at pobox.com>
> >
> > Hey Nathan,
> >
> > Can you give more motivation for this? Do you just feel that it
> > isn't worth the risk of mis-coding the check at restart?
>
> The principle here is that we should try to catch at checkpoint time
> that which we don't handle correctly at restart. Right now checkpoint
> apparently succeeds, but doing a fcntl(F_GETSIG) after a restart will
> show that the signal set before checkpoint has not been preserved.
Really? I thought for sure Suka had addressed that.
So if you don't mind, please add 'because we do not reset it at restart'
to the end of your description?
> > For safety check, what about forcing such a task to be restarted
> > in a private pidns?
>
> Sorry, I'm not making the connection between this concern and F_SETSIG
> and F_GETSIG.
The signal signum will only be sent to the task identified, by pid,
as the owner. If we weren't doing things right at restart, then
a malicious restarter could cause any signal to be sent to a pid
which it shouldn't be able to kill.
thanks,
-serge
More information about the Containers
mailing list