mirror of https://github.com/mkerrisk/man-pages
seccomp.2: Add note about alarm(2) not being sufficient to limit runtime
On Wed, Mar 11, 2015 at 10:43:50PM +0100, Mikael Pettersson wrote: > Jann Horn writes: > > Or should I throw this patch away and write a patch > > for the prctl() manpage instead that documents that > > being able to call sigreturn() implies being able to > > effectively call sigprocmask(), at least on some > > architectures like X86? > > Well, that is the semantics of sigreturn(). It is essentially > setcontext() [which includes the actions of sigprocmask()], but > with restrictions on parameter placement (at least on x86). > > You could introduce some setting to restrict that aspect for > seccomp processes, but you can't change this for normal processes > without breaking things. Then I think it's probably better and easier to just document the existing behavior? If a new setting would have to be introduced and developers would need to be aware of that, it's probably easier to just tell everyone to use SIGKILL. Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Mikael Pettersson <mikpelinux@gmail.com> Acked-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
8528c9890b
commit
bec56ee2bb
|
@ -64,6 +64,31 @@ Strict secure computing mode is useful for number-crunching
|
|||
applications that may need to execute untrusted byte code, perhaps
|
||||
obtained by reading from a pipe or socket.
|
||||
|
||||
Note that although the calling thread can no longer call
|
||||
.BR sigprocmask (2),
|
||||
it can use
|
||||
.BR sigreturn (2)
|
||||
to block all signals apart from
|
||||
.BR SIGKILL
|
||||
and
|
||||
.BR SIGSTOP .
|
||||
Therefore, to reliably terminate it,
|
||||
.BR SIGKILL
|
||||
has to be used, meaning that e.g.
|
||||
.BR alarm (2)
|
||||
is not sufficient for restricting its runtime. Instead, use
|
||||
.BR timer_create (2)
|
||||
with
|
||||
.BR SIGEV_SIGNAL
|
||||
and
|
||||
.BR sigev_signo
|
||||
set to
|
||||
.BR SIGKILL
|
||||
or use
|
||||
.BR setrlimit (2)
|
||||
to set the hard limit for
|
||||
.BR RLIMIT_CPU .
|
||||
|
||||
This operation is available only if the kernel is configured with
|
||||
.BR CONFIG_SECCOMP
|
||||
enabled.
|
||||
|
|
Loading…
Reference in New Issue