[lxc-devel] [lxc/master] start: fix death signal

[brauner on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 811 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20171222/ed567868/attachment.bin>
-------------- next part --------------
From 912314fc9b63e8cffaf3d5160f9171fc6a0805d4 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 22 Dec 2017 22:17:44 +0100
Subject: [PATCH] start: fix death signal

On set{g,u}id() the kernel does:

 	/* dumpability changes */
	if (!uid_eq(old->euid, new->euid) ||
	    !gid_eq(old->egid, new->egid) ||
	    !uid_eq(old->fsuid, new->fsuid) ||
	    !gid_eq(old->fsgid, new->fsgid) ||
	    !cred_cap_issubset(old, new)) {
		if (task->mm)
			set_dumpable(task->mm, suid_dumpable);
		task->pdeath_signal = 0;
		smp_wmb();
	}

which means we need to re-enable the deat signal after the set{g,u}id().

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/start.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/lxc/start.c b/src/lxc/start.c
index c7d87fb3c..2b09d89ab 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -888,8 +888,9 @@ static int do_start(void *data)
 	 * exit before we set the pdeath signal leading to a unsupervized
 	 * container.
 	 */
-	if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0)) {
-		SYSERROR("Failed to set PR_SET_PDEATHSIG to SIGKILL.");
+	ret = prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+	if (ret < 0) {
+		SYSERROR("Failed to set PR_SET_PDEATHSIG to SIGKILL");
 		return -1;
 	}
 
@@ -946,6 +947,13 @@ static int do_start(void *data)
 			if (ret < 0)
 				goto out_warn_father;
 		}
+
+		/* set{g,u}id() clears deathsignal */
+		ret = prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+		if (ret < 0) {
+			SYSERROR("Failed to set PR_SET_PDEATHSIG to SIGKILL");
+			goto out_warn_father;
+		}
 	}
 
 	if (access(handler->lxcpath, X_OK)) {