• Sukadev Bhattiprolu's avatar
    signals: protect cinit from blocked fatal signals · b3bfa0cb
    Sukadev Bhattiprolu authored
    Normally SIG_DFL signals to global and container-init are dropped early.
    But if a signal is blocked when it is posted, we cannot drop the signal
    since the receiver may install a handler before unblocking the signal.
    Once this signal is queued however, the receiver container-init has no way
    of knowing if the signal was sent from an ancestor or descendant
    namespace.  This patch ensures that contianer-init drops all SIG_DFL
    signals in get_signal_to_deliver() except SIGKILL/SIGSTOP.
    
    If SIGSTOP/SIGKILL originate from a descendant of container-init they are
    never queued (i.e dropped in sig_ignored() in an earler patch).
    
    If SIGSTOP/SIGKILL originate from parent namespace, the signal is queued
    and container-init processes the signal.
    
    IOW, if get_signal_to_deliver() sees a sig_kernel_only() signal for global
    or container-init, the signal must have been generated internally or must
    have come from an ancestor ns and we process the signal.
    
    Further, the signal_group_exit() check was needed to cover the case of a
    multi-threaded init sending SIGKILL to other threads when doing an exit()
    or exec().  But since the new sig_kernel_only() check covers the SIGKILL,
    the signal_group_exit() check is no longer needed and can be removed.
    
    Finally, now that we have all pieces in place, set SIGNAL_UNKILLABLE for
    container-inits.
    Signed-off-by: default avatarSukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
    Cc: Oleg Nesterov <oleg@tv-sign.ru>
    Cc: Roland McGrath <roland@redhat.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Daniel Lezcano <daniel.lezcano@free.fr>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    b3bfa0cb
signal.c 66.5 KB