mirror of https://github.com/mkerrisk/man-pages
seccomp_unotify.2: Add caveats regarding emulation of blocking system calls
Reported-by: Sargun Dhillon <sargun@sargun.me> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
1b5592f534
commit
911789ee76
|
@ -1048,6 +1048,52 @@ a write by the supervisor into the target's memory can
|
||||||
.B never
|
.B never
|
||||||
be considered safe.
|
be considered safe.
|
||||||
.\"
|
.\"
|
||||||
|
.SS Caveats regarding blocking system calls
|
||||||
|
Suppose that the target performs a blocking system call (e.g.,
|
||||||
|
.BR accept (2))
|
||||||
|
that the supervisor should handle.
|
||||||
|
The supervisor might then in turn execute the same blocking system call.
|
||||||
|
.PP
|
||||||
|
In this scenario,
|
||||||
|
it is important to note that if the target's system call is now
|
||||||
|
interrupted by a signal, the supervisor is
|
||||||
|
.I not
|
||||||
|
informed of this.
|
||||||
|
If the supervisor does not take suitable steps to
|
||||||
|
actively discover that the target's system call has been canceled,
|
||||||
|
various difficulties can occur.
|
||||||
|
Taking the example of
|
||||||
|
.BR accept (2),
|
||||||
|
the supervisor might remain blocked in its
|
||||||
|
.BR accept (2)
|
||||||
|
holding a port number that the target
|
||||||
|
(which, after the interruption by the signal handler,
|
||||||
|
perhaps closed its listening socket) might expect to be able to reuse in a
|
||||||
|
.BR bind (2)
|
||||||
|
call.
|
||||||
|
.PP
|
||||||
|
Therefore, when the supervisor wishes to emulate a blocking system call,
|
||||||
|
it must do so in such a way that it gets informed if the target's
|
||||||
|
system call is interrupted by a signal handler.
|
||||||
|
For example, if the supervisor itself executes the same
|
||||||
|
blocking system call, then it could employ a separate thread
|
||||||
|
that uses the
|
||||||
|
.B SECCOMP_IOCTL_NOTIF_ID_VALID
|
||||||
|
operation to check if the target is still blocked in its system call.
|
||||||
|
Alternatively, in the
|
||||||
|
.BR accept (2)
|
||||||
|
example, the supervisor might use
|
||||||
|
.BR poll (2)
|
||||||
|
to monitor both the notification file descriptor
|
||||||
|
(so as as to discover when the target's
|
||||||
|
.BR accept (2)
|
||||||
|
call has been interrupted) and the listening file descriptor
|
||||||
|
(so as to know when a connection is available).
|
||||||
|
.PP
|
||||||
|
If the target's system call is interrupted,
|
||||||
|
the supervisor must take care to release resources (e.g., file descriptors)
|
||||||
|
that it acquired on behalf of the target.
|
||||||
|
.\"
|
||||||
.SS Interaction with SA_RESTART signal handlers
|
.SS Interaction with SA_RESTART signal handlers
|
||||||
Consider the following scenario:
|
Consider the following scenario:
|
||||||
.IP \(bu 2
|
.IP \(bu 2
|
||||||
|
|
Loading…
Reference in New Issue