runtime: use tgkill instead of tkill #27548
This has been proposed previously (#24924), but was closed because Android allows tkill.
However, generally tgkill allows creation of a stricter sandbox (note that tkill is only used in runtime.raise to send a signal to the current thread).
With kill and tgkill, the sandbox policy (e.g., seccomp) can prevent the program from sending signals to other processes by checking that the first argument == getpid().
With tkill, the policy must whitelist all tids in the process, which is effectively impossible given Go's dynamic thread creation.
Specifically, this applies to the gVisor project, where we do not allow tkill in our seccomp policy. At the moment, we attempt to emulate the standard Go runtime signal behavior. This works, but I don't see any downsides to using tgkill in raise, and other sandboxed Go programs could benefit, hence this feature request.
The text was updated successfully, but these errors were encountered: