| 1 |
commit: 37e4dc5ae842afa03849a47b123345906fdd81a2 |
| 2 |
Author: Zac Medico <zmedico <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Tue Jan 22 07:17:18 2019 +0000 |
| 4 |
Commit: Zac Medico <zmedico <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Wed Jan 23 04:47:25 2019 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=37e4dc5a |
| 7 |
|
| 8 |
pid-sandbox: pid-ns-init setsid support (bug 675870) |
| 9 |
|
| 10 |
Use setsid to isolate the parent process from signals sent |
| 11 |
to the process group, and forward signals to the entire |
| 12 |
process group with kill(0, signum). |
| 13 |
|
| 14 |
Bug: https://bugs.gentoo.org/675870 |
| 15 |
Signed-off-by: Zac Medico <zmedico <AT> gentoo.org> |
| 16 |
|
| 17 |
bin/pid-ns-init | 16 +++++++++++++--- |
| 18 |
1 file changed, 13 insertions(+), 3 deletions(-) |
| 19 |
|
| 20 |
diff --git a/bin/pid-ns-init b/bin/pid-ns-init |
| 21 |
index f9b8cc4f3..76ae8de75 100644 |
| 22 |
--- a/bin/pid-ns-init |
| 23 |
+++ b/bin/pid-ns-init |
| 24 |
@@ -33,8 +33,12 @@ KILL_SIGNALS = ( |
| 25 |
) |
| 26 |
|
| 27 |
|
| 28 |
-def forward_kill_signal(main_child_pid, signum, frame): |
| 29 |
- os.kill(main_child_pid, signum) |
| 30 |
+def forward_kill_signal(pid, signum, frame): |
| 31 |
+ if pid == 0: |
| 32 |
+ # Avoid a signal feedback loop, since signals sent to the |
| 33 |
+ # process group are also sent to the current process. |
| 34 |
+ signal.signal(signum, signal.SIG_DFL) |
| 35 |
+ os.kill(pid, signum) |
| 36 |
|
| 37 |
|
| 38 |
def main(argv): |
| 39 |
@@ -47,6 +51,7 @@ def main(argv): |
| 40 |
# (forwarding signals to init and forwarding exit status to the parent |
| 41 |
# process). |
| 42 |
main_child_pid = int(argv[1]) |
| 43 |
+ setsid = False |
| 44 |
proc = None |
| 45 |
else: |
| 46 |
# The current process is init (pid 1) in a child pid namespace. |
| 47 |
@@ -55,11 +60,16 @@ def main(argv): |
| 48 |
popen_kwargs = {} |
| 49 |
if sys.version_info.major > 2: |
| 50 |
popen_kwargs['pass_fds'] = pass_fds |
| 51 |
+ # Isolate parent process from process group SIGSTOP (bug 675870) |
| 52 |
+ setsid = True |
| 53 |
+ os.setsid() |
| 54 |
proc = subprocess.Popen(args, executable=binary, |
| 55 |
preexec_fn=signal_disposition_preexec, **popen_kwargs) |
| 56 |
main_child_pid = proc.pid |
| 57 |
|
| 58 |
- sig_handler = functools.partial(forward_kill_signal, main_child_pid) |
| 59 |
+ # If setsid has been called, use kill(0, signum) to |
| 60 |
+ # forward signals to the entire process group. |
| 61 |
+ sig_handler = functools.partial(forward_kill_signal, 0 if setsid else main_child_pid) |
| 62 |
for signum in KILL_SIGNALS: |
| 63 |
signal.signal(signum, sig_handler) |
Archives