114 lines
3.3 KiB
Diff
114 lines
3.3 KiB
Diff
From 27f8123c3c4133c26bf1ef3ddec1be9e8bcd7119 Mon Sep 17 00:00:00 2001
|
|
From: LiFeng <lifeng68@huawei.com>
|
|
Date: Tue, 15 Jan 2019 23:14:14 -0500
|
|
Subject: [PATCH 037/139] restore default signal handlers and set umask 0027
|
|
|
|
Signed-off-by: LiFeng <lifeng68@huawei.com>
|
|
---
|
|
src/lxc/attach.c | 22 +++++++++++++++++++++-
|
|
src/lxc/conf.c | 3 +++
|
|
src/lxc/start.c | 18 +++++++++++++++++-
|
|
3 files changed, 41 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
|
|
index 3f60fe1..4ccdd74 100644
|
|
--- a/src/lxc/attach.c
|
|
+++ b/src/lxc/attach.c
|
|
@@ -750,7 +750,7 @@ static void lxc_put_attach_clone_payload(struct attach_clone_payload *p)
|
|
|
|
static int attach_child_main(struct attach_clone_payload *payload)
|
|
{
|
|
- int fd, lsm_fd, ret;
|
|
+ int fd, lsm_fd, ret, i;
|
|
uid_t new_uid;
|
|
gid_t new_gid;
|
|
uid_t ns_root_uid = 0;
|
|
@@ -761,11 +761,31 @@ static int attach_child_main(struct attach_clone_payload *payload)
|
|
bool needs_lsm = (options->namespaces & CLONE_NEWNS) &&
|
|
(options->attach_flags & LXC_ATTACH_LSM) &&
|
|
init_ctx->lsm_label;
|
|
+ sigset_t mask;
|
|
+
|
|
|
|
/*isulad: record errpipe fd*/
|
|
msg_fd = init_ctx->container->lxc_conf->errpipe[1];
|
|
init_ctx->container->lxc_conf->errpipe[1] = -1;
|
|
|
|
+ /*isulad: set system umask 0027 for safe control */
|
|
+ umask(0027);
|
|
+
|
|
+ /*isulad: restore default signal handlers and unblock all signals*/
|
|
+ for (i = 1; i < NSIG; i++)
|
|
+ signal(i, SIG_DFL);
|
|
+
|
|
+ ret = sigfillset(&mask);
|
|
+ if (ret < 0) {
|
|
+ SYSERROR("Failed to fill signal mask");
|
|
+ goto on_error;;
|
|
+ }
|
|
+ ret = sigprocmask(SIG_UNBLOCK, &mask, NULL);
|
|
+ if (ret < 0) {
|
|
+ SYSERROR("Failed to set signal mask");
|
|
+ goto on_error;
|
|
+ }
|
|
+
|
|
/* A description of the purpose of this functionality is provided in the
|
|
* lxc-attach(1) manual page. We have to remount here and not in the
|
|
* parent process, otherwise /proc may not properly reflect the new pid
|
|
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
|
|
index 6134ed3..88cebfd 100644
|
|
--- a/src/lxc/conf.c
|
|
+++ b/src/lxc/conf.c
|
|
@@ -4180,6 +4180,9 @@ int lxc_setup(struct lxc_handler *handler)
|
|
}
|
|
}
|
|
|
|
+ /*isulad: set system umask 0027 for safe control*/
|
|
+ umask(0027);
|
|
+
|
|
ret = setup_personality(lxc_conf->personality);
|
|
if (ret < 0) {
|
|
ERROR("Failed to set personality");
|
|
diff --git a/src/lxc/start.c b/src/lxc/start.c
|
|
index 357e81d..708ab7f 100644
|
|
--- a/src/lxc/start.c
|
|
+++ b/src/lxc/start.c
|
|
@@ -1103,7 +1103,7 @@ void lxc_abort(const char *name, struct lxc_handler *handler)
|
|
|
|
static int do_start(void *data)
|
|
{
|
|
- int ret;
|
|
+ int ret, i;
|
|
char path[PATH_MAX];
|
|
uid_t new_uid;
|
|
gid_t new_gid;
|
|
@@ -1112,9 +1112,25 @@ static int do_start(void *data)
|
|
gid_t nsgid = 0;
|
|
int devnull_fd = -1;
|
|
struct lxc_handler *handler = data;
|
|
+ sigset_t mask;
|
|
|
|
lxc_sync_fini_parent(handler);
|
|
|
|
+ /*isulad: restore default signal handlers and unblock all signals*/
|
|
+ for (i = 1; i < NSIG; i++)
|
|
+ signal(i, SIG_DFL);
|
|
+
|
|
+ ret = sigfillset(&mask);
|
|
+ if (ret < 0) {
|
|
+ SYSERROR("Failed to fill signal mask");
|
|
+ goto out_warn_father;;
|
|
+ }
|
|
+ ret = sigprocmask(SIG_UNBLOCK, &mask, NULL);
|
|
+ if (ret < 0) {
|
|
+ SYSERROR("Failed to set signal mask");
|
|
+ goto out_warn_father;
|
|
+ }
|
|
+
|
|
/* This prctl must be before the synchro, so if the parent dies before
|
|
* we set the parent death signal, we will detect its death with the
|
|
* synchro right after, otherwise we have a window where the parent can
|
|
--
|
|
1.8.3.1
|
|
|