[ELDK] 2.4 signal patch

Detlev Zundel dzu at denx.de
Thu Oct 28 17:35:02 CEST 2010 

Hi Levend,

> We have a ppc 852 based embedded board. We are running 2.4.25
> kernel. We implemented a kernel module
> for timer mechanism. A process can set a timer with this module and
> when that timer expires module notifies the process with an RT signal.

Not that I want to criticize what you did, but I am not a big friend of
signals.  I've seen way too many problems connected with them and try to
circumvent them whenever possible.

Just for your information - in Linux 2.6 the kernel developers have
solved the same "problem" by introducing timerfd's [1] which fit the
regular (synchronous) "select/poll" methodology of Unix much nicer than
(asynchronous) signals do.

> Until today, we had just "root" user. But a few weeks ago
> we added a web server application (hiawatha) that runs with "nobody"
> user. So we added "nobody" user also.
>
> Later we noticed that some signals sent from kernel to userland are
> missing. The reason is this.
>
> process A with uid root
> process B with uid nobody
> kernel module M
>
> process A sets a timer with module M.
> While B is running, timer expires and module M want to send signal to A.
> But M uses send_sig_info (kernel/signal.c). That function makes some
> permission checks (bad_signal). It checks euid of "current" with euid
> of signal destination process.
> If these are different, it does not deliver signal.

Ouch, it seems like your kernel module has a serious problem.  When the
signal is delivered from "the process running at the time the timer goes
off", then the behaviour is essentially non-deterministic.  One fix
would be to somehow remember the pid of the process that created the
timer and use that as the "originator" of the signal.  Note that this is
only theory and I do _not_ know how to code that.

> So as a remedy, we bypassed bad_signal code. Do you think will this
> have some bad side effects ? Or do you suggest a better solution ?

Of course this will have bad side effects - this means that any user can
kill an application started by the superuser.  Now this may not be
critical for your embedded system (if you don;t have any actual users),
but in general this is a no-go.  It was for good reason that there were
checks in the code ;)

Cheers
  Detlev

[1] http://www.kernel.org/doc/man-pages/online/pages/man2/timerfd_create.2.html

-- 
I had nothing to do with implementing Gosmacs.  It was inspired
by the original Emacs, but that's all.  I would never have agreed
to use a language like Mocklisp.
             -- Richard Stallman in <E1CUySS-00048D-RN at fencepost.gnu.org>
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

More information about the eldk mailing list