subproc: clear signal handlers in the child process

diff --git a/common.h b/common.h
index 94c621b..26222f8 100644 (file)
--- a/common.h
+++ b/common.h
@@ -24,6 +24,7 @@
 
 #include <limits.h>
 #include <netinet/ip6.h>
+#include <signal.h>
 #include <stdbool.h>
 #include <stdio.h>
 #include <sys/queue.h>

diff --git a/kafel b/kafel
index b20d268..2ae8e11 160000 (submodule)
--- a/kafel
+++ b/kafel
@@ -1 +1 @@
-Subproject commit b20d26848992cb14661f6fbccca6a82b1c2af546
+Subproject commit 2ae8e116e416539da66ed7170e246668df05e43e

diff --git a/nsjail.c b/nsjail.c
index 0331be7..7e5008b 100644 (file)
--- a/nsjail.c
+++ b/nsjail.c
@@ -76,20 +76,10 @@ static bool nsjailSetSigHandler(int sig)
 
 static bool nsjailSetSigHandlers(void)
 {
-       if (nsjailSetSigHandler(SIGINT) == false) {
-               return false;
-       }
-       if (nsjailSetSigHandler(SIGUSR1) == false) {
-               return false;
-       }
-       if (nsjailSetSigHandler(SIGALRM) == false) {
-               return false;
-       }
-       if (nsjailSetSigHandler(SIGCHLD) == false) {
-               return false;
-       }
-       if (nsjailSetSigHandler(SIGTERM) == false) {
-               return false;
+       for (size_t i = 0; i < ARRAYSIZE(nssigs); i++) {
+               if (!nsjailSetSigHandler(nssigs[i])) {
+                       return false;
+               }
        }
        return true;
 }

diff --git a/nsjail.h b/nsjail.h
index 70de7c7..7194b93 100644 (file)
--- a/nsjail.h
+++ b/nsjail.h
@@ -23,6 +23,14 @@
 #ifndef NS_NSJAIL_H
 #define NS_NSJAIL_H
 
-#include "common.h"
+#include <signal.h>
+
+static const int nssigs[] = {
+       SIGINT,
+       SIGUSR1,
+       SIGALRM,
+       SIGCHLD,
+       SIGTERM,
+};
 
 #endif /* _NSJAIL_H */

diff --git a/subproc.c b/subproc.c
index efb855e..a816505 100644 (file)
--- a/subproc.c
+++ b/subproc.c
@@ -109,12 +109,28 @@ static const char* subprocCloneFlagsToStr(uintptr_t flags)
        return cloneFlagName;
 }
 
+/* Reset the execution environment for the new process */
+static bool subprocReset(void)
+{
+       for (size_t i = 0; i < ARRAYSIZE(nssigs); i++) {
+               if (signal(nssigs[i], SIG_DFL) == SIG_ERR) {
+                       PLOG_W("signal(%s, SIG_DFL)", utilSigName(nssigs[i]));
+                       return false;
+               }
+       }
+       return true;
+}
+
 static int subprocNewProc(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err, int pipefd)
 {
        if (containSetupFD(nsjconf, fd_in, fd_out, fd_err) == false) {
                exit(0xff);
        }
 
+       if (!subprocReset()) {
+               exit(0xff);
+       }
+
        if (pipefd == -1) {
                if (userInitNsFromParent(nsjconf, getpid()) == false) {
                        LOG_E("Couldn't initialize net user namespace");

diff --git a/subproc.h b/subproc.h
index a4f64e7..5cb4ff2 100644 (file)
--- a/subproc.h
+++ b/subproc.h
@@ -24,6 +24,8 @@
 
 #include "common.h"
 
+#include "nsjail.h"
+
 #include <inttypes.h>
 #include <unistd.h>