The LXC patches identified a race condition between fork/exec'ing child
processes and signal handlers.
The process using libvirt can have setup arbitrary signal handlers. In
the libvirtd case we have one attached to SIGCHILD, and the handler writes
to a pipe which is then processeed in the main loop. When you fork() signal
handlers are preserved in the child process, but you may well not want the
signal handlers to be run in the children - for example in LXC we closed
the FD associated the pipe after fork(), and that FD is now asociated
with a socket we use to talk to the container. So if the original signal
handler is run bad stuff will happen in the child.
Now signal handlers will eventually get reset when you exec(), but this
leaves open a race condition window between the fork & exec() when we
cannot assume it is safe to run the signal handlers from the parent
So, this changes the virExec() function so that before fork()ing it
blocks all signals. After fork() the parent process can restore its
original signal mask. The child process meanwhile calls sigaction()
to reset all signal handlers to SIG_DFL, and then unblocks all signals.
NB, the child does not restore the parents sig-mask - libvirt can be
called from any app, and we don't want to inherit whatever mask the
app may have setup.
On Linux there is a convenient NSIG constant defined in signal.h
telling us how many signals there are. If this isn't defined I
simply set it to 32 which is enough for UNIX pre-dating the
addition of real-time signals to POSIX. If we find convenient
or more appropriate values for other non-Linux OS we can update
this as needed.
NB I call pthread_sigmask() instead of sigprocmask() when doing
the fork/exec, because we cannot assume that the application
using libvirt is single-threaded & thus we only want to block
signals in the thread doing the fork/exec.
Daniel
diff -r 1dbfb08d365d src/util.c
--- a/src/util.c Thu Aug 07 16:55:11 2008 +0100
+++ b/src/util.c Thu Aug 07 16:55:53 2008 +0100
@@ -37,6 +37,7 @@
#include <sys/wait.h>
#endif
#include <string.h>
+#include <signal.h>
#include "c-ctype.h"
#ifdef HAVE_PATHS_H
@@ -49,6 +50,10 @@
#include "util.h"
#include "memory.h"
#include "util-lib.c"
+
+#ifndef NSIG
+# define NSIG 32
+#endif
#ifndef MIN
# define MIN(a, b) ((a) < (b) ? (a) : (b))
@@ -104,9 +109,23 @@
_virExec(virConnectPtr conn,
const char *const*argv,
int *retpid, int infd, int *outfd, int *errfd, int non_block) {
- int pid, null;
+ int pid, null, i;
int pipeout[2] = {-1,-1};
int pipeerr[2] = {-1,-1};
+ sigset_t oldmask, newmask;
+ struct sigaction sig_action;
+
+ /*
+ * Need to block signals now, so that child process can safely
+ * kill off caller's signal handlers without a race.
+ */
+ sigfillset(&newmask);
+ if (pthread_sigmask(SIG_SETMASK, &newmask, &oldmask) < 0) {
+ ReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
+ _("cannot block signals: %s"),
+ strerror(errno));
+ return -1;
+ }
if ((null = open(_PATH_DEVNULL, O_RDONLY)) < 0) {
ReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
@@ -122,6 +141,34 @@
goto cleanup;
}
+ if (outfd) {
+ if(non_block &&
+ virSetNonBlock(pipeout[0]) == -1) {
+ ReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
+ _("Failed to set non-blocking file descriptor flag"));
+ goto cleanup;
+ }
+
+ if(virSetCloseExec(pipeout[0]) == -1) {
+ ReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
+ _("Failed to set close-on-exec file descriptor
flag"));
+ goto cleanup;
+ }
+ }
+ if (errfd) {
+ if(non_block &&
+ virSetNonBlock(pipeerr[0]) == -1) {
+ ReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
+ _("Failed to set non-blocking file descriptor flag"));
+ goto cleanup;
+ }
+ if(virSetCloseExec(pipeerr[0]) == -1) {
+ ReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
+ _("Failed to set close-on-exec file descriptor
flag"));
+ goto cleanup;
+ }
+ }
+
if ((pid = fork()) < 0) {
ReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
_("cannot fork child process: %s"), strerror(errno));
@@ -132,33 +179,48 @@
close(null);
if (outfd) {
close(pipeout[1]);
- if(non_block)
- if(virSetNonBlock(pipeout[0]) == -1)
- ReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
- _("Failed to set non-blocking file descriptor flag"));
-
- if(virSetCloseExec(pipeout[0]) == -1)
- ReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
- _("Failed to set close-on-exec file descriptor
flag"));
*outfd = pipeout[0];
}
if (errfd) {
close(pipeerr[1]);
- if(non_block)
- if(virSetNonBlock(pipeerr[0]) == -1)
- ReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
- _("Failed to set non-blocking file descriptor
flag"));
-
- if(virSetCloseExec(pipeerr[0]) == -1)
- ReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
- _("Failed to set close-on-exec file descriptor
flag"));
*errfd = pipeerr[0];
}
*retpid = pid;
+
+ /* Restore our original signal mask now child is safely
+ running */
+ if (pthread_sigmask(SIG_SETMASK, &oldmask, NULL) < 0) {
+ ReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
+ _("cannot unblock signals: %s"),
+ strerror(errno));
+ return -1;
+ }
+
return 0;
}
/* child */
+
+ /* Clear out all signal handlers from parent so nothing
+ unexpected can happen in our child here */
+ sig_action.sa_handler = SIG_DFL;
+ sig_action.sa_flags = 0;
+ sigemptyset(&sig_action.sa_mask);
+
+ for (i = 0 ; i < NSIG ; i++)
+ /* Only possible errors are EFAULT or EINVAL
+ The former wont happen, the latter we
+ expect, so no need to check return value */
+ sigaction(i, &sig_action, NULL);
+
+ /* Unmask all signals in child, since we've no idea
+ what the caller's done with their signal mask */
+ if (pthread_sigmask(SIG_SETMASK, &oldmask, NULL) < 0) {
+ ReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
+ _("cannot unblock signals: %s"),
+ strerror(errno));
+ return -1;
+ }
if (pipeout[0] > 0 && close(pipeout[0]) < 0)
_exit(1);
--
|: Red Hat, Engineering, London -o-
http://people.redhat.com/berrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org -o-
http://ovirt.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|