LKML Archive on
help / color / mirror / Atom feed
From: Jann Horn <>
To: Michael Kerrisk <>,
	Mikael Pettersson <>
	Michael Kerrisk <>,
	Russell King <>,
	Catalin Marinas <>,
	Will Deacon <>,
	Thomas Gleixner <>,
	Ingo Molnar <>, "H. Peter Anvin" <>,, Jeff Dike <>,
	Richard Weinberger <>,
	Kees Cook <>,
	Andy Lutomirski <>,
	Will Drewry <>
Subject: [PATCH] seccomp.2: Add note about alarm(2) not being sufficient to limit runtime
Date: Thu, 12 Mar 2015 14:07:01 +0100	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <21760.46870.338764.599348@gargle.gargle.HOWL>

On Wed, Mar 11, 2015 at 10:43:50PM +0100, Mikael Pettersson wrote:
> Jann Horn writes:
>  > Or should I throw this patch away and write a patch
>  > for the prctl() manpage instead that documents that
>  > being able to call sigreturn() implies being able to
>  > effectively call sigprocmask(), at least on some
>  > architectures like X86?
> Well, that is the semantics of sigreturn().  It is essentially
> setcontext() [which includes the actions of sigprocmask()], but
> with restrictions on parameter placement (at least on x86).
> You could introduce some setting to restrict that aspect for
> seccomp processes, but you can't change this for normal processes
> without breaking things.

Then I think it's probably better and easier to just document the existing
behavior? If a new setting would have to be introduced and developers would
need to be aware of that, it's probably easier to just tell everyone to use

Does this manpage patch look good?

 man2/seccomp.2 | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/man2/seccomp.2 b/man2/seccomp.2
index 702ceb8..f762d07 100644
--- a/man2/seccomp.2
+++ b/man2/seccomp.2
@@ -64,6 +64,31 @@ Strict secure computing mode is useful for number-crunching
 applications that may need to execute untrusted byte code, perhaps
 obtained by reading from a pipe or socket.
+Note that although the calling thread can no longer call
+.BR sigprocmask (2),
+it can use
+.BR sigreturn (2)
+to block all signals apart from
+Therefore, to reliably terminate it,
+has to be used, meaning that e.g.
+.BR alarm (2)
+is not sufficient for restricting its runtime. Instead, use
+.BR timer_create (2)
+.BR sigev_signo
+set to
+or use
+.BR setrlimit (2)
+to set the hard limit for
 This operation is available only if the kernel is configured with

  parent reply	other threads:[~2015-03-12 13:07 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-11 17:42 [PATCH] Don't allow blocking of signals using sigreturn Jann Horn
2015-03-11 21:43 ` Mikael Pettersson
2015-03-11 22:26   ` Andy Lutomirski
2015-03-12  7:22     ` Mikael Pettersson
2015-03-12 13:07   ` Jann Horn [this message]
2015-03-12 17:30     ` [PATCH] seccomp.2: Add note about alarm(2) not being sufficient to limit runtime Andy Lutomirski
2015-03-12 17:33     ` Kees Cook
2015-03-12 20:01     ` Mikael Pettersson
2015-03-22 19:28     ` Michael Kerrisk (man-pages)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
    --subject='Re: [PATCH] seccomp.2: Add note about alarm(2) not being sufficient to limit runtime' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).