Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syscall: synchronization between clone() and execve() #14180

Open
stefanberger opened this issue Feb 1, 2016 · 6 comments

Comments

@stefanberger
Copy link

commented Feb 1, 2016

I would like to see a synchronization primitive to be added between the clone() and the execve() call in the function forkAndExecInChild here https://golang.org/src/syscall/exec_linux.go so that the parent can setup the child after the clone() but before the execve().

@stefanberger stefanberger changed the title Callback or synchronization between clone() and execve() Synchronization between clone() and execve() Feb 1, 2016

@ianlancetaylor ianlancetaylor changed the title Synchronization between clone() and execve() syscall: synchronization between clone() and execve() Feb 1, 2016

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

commented Feb 1, 2016

I assume you mean a callback that is executed in the child context. That is not going to happen. There is almost nothing that can be safely done in the child context. You can not allocate memory. You can not start a goroutine. You can call almost none of the functions in the syscall package. Instead our procedure has been that for things that have to happen between clone and exec in the child, we add entries to syscall.SysProcAttr.

I'm going to close this, but please feel free to reopen if you meant something else. An example would help.

@minux

This comment has been minimized.

Copy link
Member

commented Feb 1, 2016

@stefanberger

This comment has been minimized.

Copy link
Author

commented Feb 1, 2016

I am working on namespacing the Linux integrity measurement architecture. Here a new IMA namespace will be created as part of the clone(). We intend to hook up a virtual TPM (TPM emulator) to the IMA namespace but have to do this after the clone() and before the execve(). The problem with the execve() is that it creates 'measurements' and these measurements will be extended into a PCR of the TPM emulator. So the hook-up of the vTPM with the IMA-namespace has to be done by the parent before the child executes the execve().
I initially wrote 'callback' in the title but removed that. It likely would not work so well, so a synchronization primitive, such as two pipes, could be used to indicate to the parent that it can do its job and then indicate to the child that it can proceed. As stated, we would like to be able to execute code in the parent before the child runs the execve().

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

commented Feb 1, 2016

Thanks for the description. It sounds like it would be sufficient to add a descriptor to syscall.SysProcattr, and for the child to read a byte from that descriptor before calling exec. I think that could be implemented.

@ianlancetaylor ianlancetaylor reopened this Feb 1, 2016

@ianlancetaylor ianlancetaylor added this to the Unplanned milestone Feb 1, 2016

@stefanberger

This comment has been minimized.

Copy link
Author

commented Feb 1, 2016

:-) A single pipe will do .

@jessfraz

This comment has been minimized.

Copy link
Contributor

commented Jul 17, 2017

I think this should be ok once #20676 is in?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.