summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/sighandling/sighandling.go
blob: ef6f7f617f5f55ea7f64d15532f543545758e778 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
// Copyright 2018 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Package sighandling contains helpers for handling signals to applications.
package sighandling

import (
	"os"
	"os/signal"
	"reflect"
	"syscall"

	"gvisor.googlesource.com/gvisor/pkg/abi/linux"
	"gvisor.googlesource.com/gvisor/pkg/sentry/arch"
	"gvisor.googlesource.com/gvisor/pkg/sentry/kernel"
)

// numSignals is the number of normal (non-realtime) signals on Linux.
const numSignals = 32

// forwardSignals listens for incoming signals and delivers them to k. It starts
// when the start channel is closed and stops when the stop channel is closed.
func forwardSignals(k *kernel.Kernel, sigchans []chan os.Signal, start, stop chan struct{}) {
	// Build a select case.
	sc := []reflect.SelectCase{{Dir: reflect.SelectRecv, Chan: reflect.ValueOf(start)}}
	for _, sigchan := range sigchans {
		sc = append(sc, reflect.SelectCase{Dir: reflect.SelectRecv, Chan: reflect.ValueOf(sigchan)})
	}

	started := false
	for {
		// Wait for a notification.
		index, _, ok := reflect.Select(sc)

		// Was it the start / stop channel?
		if index == 0 {
			if !ok {
				if started {
					// stop channel
					break
				} else {
					// start channel
					started = true
					sc[0] = reflect.SelectCase{Dir: reflect.SelectRecv, Chan: reflect.ValueOf(stop)}
				}
			}
			continue
		}

		// How about a different close?
		if !ok {
			panic("signal channel closed unexpectedly")
		}

		// Otherwise, it was a signal on channel N. Index 0 represents the stop
		// channel, so index N represents the channel for signal N.
		if !started || !k.SendExternalSignal(&arch.SignalInfo{Signo: int32(index)}, "sentry") {
			// Kernel is not ready to receive signals.
			//
			// Kill ourselves if this signal would have killed the
			// process before PrepareForwarding was called. i.e., all
			// _SigKill signals; see Go
			// src/runtime/sigtab_linux_generic.go.
			//
			// Otherwise ignore the signal.
			//
			// TODO: Convert Go's runtime.raise from
			// tkill to tgkill so PrepareForwarding doesn't need to
			// be called until after filter installation.
			switch linux.Signal(index) {
			case linux.SIGHUP, linux.SIGINT, linux.SIGTERM:
				dieFromSignal(linux.Signal(index))
			}
		}
	}

	// Close all individual channels.
	for _, sigchan := range sigchans {
		signal.Stop(sigchan)
		close(sigchan)
	}
}

// PrepareForwarding ensures that synchronous signals are forwarded to k and
// returns a callback that starts signal delivery, which itself returns a
// callback that stops signal forwarding.
func PrepareForwarding(k *kernel.Kernel, enablePanicSignal bool) func() func() {
	start := make(chan struct{})
	stop := make(chan struct{})

	// Register individual channels. One channel per standard signal is
	// required as os.Notify() is non-blocking and may drop signals. To avoid
	// this, standard signals have to be queued separately. Channel size 1 is
	// enough for standard signals as their semantics allow de-duplication.
	//
	// External real-time signals are not supported. We rely on the go-runtime
	// for their handling.
	var sigchans []chan os.Signal
	for sig := 1; sig <= numSignals+1; sig++ {
		sigchan := make(chan os.Signal, 1)
		sigchans = append(sigchans, sigchan)

		// SignalPanic is handled by Run.
		if enablePanicSignal && linux.Signal(sig) == kernel.SignalPanic {
			continue
		}

		signal.Notify(sigchan, syscall.Signal(sig))
	}
	// Start up our listener.
	go forwardSignals(k, sigchans, start, stop) // S/R-SAFE: synchronized by Kernel.extMu

	return func() func() {
		close(start)
		return func() {
			close(stop)
		}
	}
}