GNU bug report logs - #54997
[PATCH 00/12] Add "least authority" program wrapper

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Sun, 17 Apr 2022 21:02:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #14 received at 54997 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: 54997 <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: [PATCH 03/12] linux-container: 'call-with-container' relays SIGTERM
 and SIGINT.
Date: Sun, 17 Apr 2022 23:04:44 +0200

* gnu/build/linux-container.scm (call-with-container): Add #:relayed-signals
and honor it.
---
 gnu/build/linux-container.scm | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm
index bdeca2cdb9..c19029aa65 100644
--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@@ -303,6 +303,7 @@ (define (call-with-temporary-directory proc)
 
 (define* (call-with-container mounts thunk #:key (namespaces %namespaces)
                               (host-uids 1) (guest-uid 0) (guest-gid 0)
+                              (relayed-signals (list SIGINT SIGTERM))
                               (process-spawned-hook (const #t)))
   "Run THUNK in a new container process and return its exit status; call
 PROCESS-SPAWNED-HOOK with the PID of the new process that has been spawned.
@@ -320,6 +321,9 @@ (define* (call-with-container mounts thunk #:key (namespaces %namespaces)
 GUEST-UID and GUEST-GID specify the first UID (respectively GID) that host
 UIDs (respectively GIDs) map to in the namespace.
 
+RELAYED-SIGNALS is the list of signals that are \"relayed\" to the container
+process when caught by its parent.
+
 Note that if THUNK needs to load any additional Guile modules, the relevant
 module files must be present in one of the mappings in MOUNTS and the Guile
 load path must be adjusted as needed."
@@ -328,11 +332,12 @@ (define* (call-with-container mounts thunk #:key (namespaces %namespaces)
      (let ((pid (run-container root mounts namespaces host-uids thunk
                                #:guest-uid guest-uid
                                #:guest-gid guest-gid)))
-       ;; Catch SIGINT and kill the container process.
-       (sigaction SIGINT
-         (lambda (signum)
-           (false-if-exception
-            (kill pid SIGKILL))))
+       (define (relay-signal signal)
+         (false-if-exception (kill pid signal)))
+
+       (for-each (lambda (signal)
+                   (sigaction signal relay-signal))
+                 relayed-signals)
 
        (process-spawned-hook pid)
        (match (waitpid pid)
-- 
2.35.1
This bug report was last modified 3 years and 72 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.