From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Gibson To: passt-dev@passt.top Subject: Re: [PATCH] passt: Allow exit_group() system call in seccomp profiles Date: Thu, 14 Jul 2022 13:08:29 +1000 Message-ID: In-Reply-To: <20220713061747.1427736-1-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9166992663166223318==" --===============9166992663166223318== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Wed, Jul 13, 2022 at 08:17:47AM +0200, Stefano Brivio wrote: > We handle SIGQUIT and SIGTERM calling exit(), which is usually > implemented with the exit_group() system call. >=20 > If we don't allow exit_group(), we'll get a SIGSYS while handling > SIGQUIT and SIGTERM, which means a misleading non-zero exit code. >=20 > Reported-by: Wenli Quan > Link: https://bugzilla.redhat.com/show_bug.cgi?id=3D2101990 > Signed-off-by: Stefano Brivio Reviewed-by: David Gibson Turns out I had a near identical patch queued in my tree :). > --- > Makefile | 2 +- > README.md | 2 +- > passt.c | 2 ++ > 3 files changed, 4 insertions(+), 2 deletions(-) >=20 > diff --git a/Makefile b/Makefile > index 0077fc9..6f7c971 100644 > --- a/Makefile > +++ b/Makefile > @@ -115,7 +115,7 @@ qrap: $(QRAP_SRCS) passt.h > =20 > valgrind: EXTRA_SYSCALLS=3D"rt_sigprocmask rt_sigtimedwait rt_sigaction \ > getpid gettid kill clock_gettime mmap munmap open \ > - unlink exit_group gettimeofday" > + unlink gettimeofday" > valgrind: CFLAGS:=3D-g -O0 $(filter-out -O%,$(CFLAGS)) > valgrind: all > =20 > diff --git a/README.md b/README.md > index 4fed6d5..628b9bb 100644 > --- a/README.md > +++ b/README.md > @@ -286,7 +286,7 @@ speeding up local connections, and usually requiring NA= T. _pasta_: > * =E2=9C=85 all capabilities dropped, other than `CAP_NET_BIND_SERVICE` (i= f granted) > * =E2=9C=85 with default options, user, mount, IPC, UTS, PID namespaces ar= e detached > * =E2=9C=85 no external dependencies (other than a standard C library) > -* =E2=9C=85 restrictive seccomp profiles (25 syscalls allowed for _passt_,= 39 for > +* =E2=9C=85 restrictive seccomp profiles (26 syscalls allowed for _passt_,= 40 for > _pasta_ on x86_64) > * =E2=9C=85 examples of [AppArmor](/passt/tree/contrib/apparmor) and > [SELinux](/passt/tree/contrib/selinux) profiles available > diff --git a/passt.c b/passt.c > index 56fcf5f..a8d94b4 100644 > --- a/passt.c > +++ b/passt.c > @@ -257,6 +257,8 @@ static int sandbox(struct ctx *c) > * > * TODO: After unsharing the PID namespace and forking, SIG_DFL for SIGTER= M and > * SIGQUIT unexpectedly doesn't cause the process to terminate, figure out= why. > + * > + * #syscalls exit_group > */ > void exit_handler(int signal) > { --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --===============9166992663166223318== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUVCQ0FBZEZpRUVvVUx4V3U0L1dz MGRCK1h0Z3lwWTRnRXdZU0lGQW1MUGlLWUFDZ2tRZ3lwWTRnRXcKWVNLVDhnLzZBb2lCUC9BbWxr SWNRT3NLTDNQSm1sNm1OSkwvV2pEdjFTQ3dmY1N0QTFMQi9Eek9SalNMdjFVcQp6TkYxdXN3TEk4 eGxQYmducER3UFRROVhFdy9SYjlGOCtUMWlrai9idVIzNE5QUHQyaGNFZnUrSXhjeTJoWGlrCmZF K0Nma3I4aDBwaFNva0pTSWxleUNpMmk0aUNYZlcwS0x5RmIzekFnZlpBdElNZUxzcWFaWHlyZjh5 aUtpWTcKRUdxTjhFTVl2OE1NVEtydlBxN1JxTWdLZE5yVjZwaEc4UHk1Z1o2OWp5T1RiTEg0WFgv bEFXdTBuNVVKOTNoegpJbzFIeHcyaWltcWRUZEx5ZWE0b3BMS2RSQ0FYb2JETWRPbmZzODkwZDdj TWlwdWdrWmlnMFl6TjBwdnVydy84CjNwemJxWHFNbWhJUmlybkptNzdES2UzNExlSGV6UzdDMWdG RHg0TmR3eVNTUmhxVXEyUm03M3ZPd3pIMUNrRXUKSWVzYnVXVStQODNsZmNsQVlBWDZSaTVjUHpo REhHd0JlRHQvR3FIZTZESUVBelZVWGpmU3FLaHdpbXFReDhKagppejVYMWNoNXg2d2d6QkpLQldy MWFMTzNveWM5aXpPelU0SndtN1VWakZFNXdtVGRSaTVub3NINVAzU0MxNFlFCkhBSjRoTlVjVEkw Wng0a3JkYXEzOE9wOGFUSnRGU1FSZmxVb3NFU1FUNjRSYTBmVmJKZ0J5Ky9XdjVxb2h1UW4KVFVZ KzlmcU0zRU9QbWxEcHhLRUg3T2E3WVZqQjVSL0tRSVFRT2xCVUcyRTFuUW8vNmpENFN5cVlQRENS c1pFeQp0RUhxUDVlQnR5dVlBbHljc2N2UzRVZ2h6R3hPYmpHNTFRWSs1VitmQVpaMjlmYUlvS0E9 Cj1HNVo1Ci0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============9166992663166223318==--