On Wed, Jul 13, 2022 at 08:17:47AM +0200, Stefano Brivio wrote: > We handle SIGQUIT and SIGTERM calling exit(), which is usually > implemented with the exit_group() system call. > > If we don't allow exit_group(), we'll get a SIGSYS while handling > SIGQUIT and SIGTERM, which means a misleading non-zero exit code. > > Reported-by: Wenli Quan > Link: https://bugzilla.redhat.com/show_bug.cgi?id=2101990 > Signed-off-by: Stefano Brivio Reviewed-by: David Gibson Turns out I had a near identical patch queued in my tree :). > --- > Makefile | 2 +- > README.md | 2 +- > passt.c | 2 ++ > 3 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/Makefile b/Makefile > index 0077fc9..6f7c971 100644 > --- a/Makefile > +++ b/Makefile > @@ -115,7 +115,7 @@ qrap: $(QRAP_SRCS) passt.h > > valgrind: EXTRA_SYSCALLS="rt_sigprocmask rt_sigtimedwait rt_sigaction \ > getpid gettid kill clock_gettime mmap munmap open \ > - unlink exit_group gettimeofday" > + unlink gettimeofday" > valgrind: CFLAGS:=-g -O0 $(filter-out -O%,$(CFLAGS)) > valgrind: all > > diff --git a/README.md b/README.md > index 4fed6d5..628b9bb 100644 > --- a/README.md > +++ b/README.md > @@ -286,7 +286,7 @@ speeding up local connections, and usually requiring NAT. _pasta_: > * ✅ all capabilities dropped, other than `CAP_NET_BIND_SERVICE` (if granted) > * ✅ with default options, user, mount, IPC, UTS, PID namespaces are detached > * ✅ no external dependencies (other than a standard C library) > -* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 39 for > +* ✅ restrictive seccomp profiles (26 syscalls allowed for _passt_, 40 for > _pasta_ on x86_64) > * ✅ examples of [AppArmor](/passt/tree/contrib/apparmor) and > [SELinux](/passt/tree/contrib/selinux) profiles available > diff --git a/passt.c b/passt.c > index 56fcf5f..a8d94b4 100644 > --- a/passt.c > +++ b/passt.c > @@ -257,6 +257,8 @@ static int sandbox(struct ctx *c) > * > * TODO: After unsharing the PID namespace and forking, SIG_DFL for SIGTERM and > * SIGQUIT unexpectedly doesn't cause the process to terminate, figure out why. > + * > + * #syscalls exit_group > */ > void exit_handler(int signal) > { -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson