init: don't kill(-1) if we aren't in a pid ns

...otherwise we'll kill everyone on the machine. Instead, let's explicitly try to kill our children. Let's do a best effort against fork bombs by disabling forking via the pids cgroup if it exists. This is best effort for a number of reasons: * the pids cgroup may not be available * the container may have bind mounted /dev/null over pids.max, so the write doesn't do anything Signed-off-by: Tycho Andersen <tycho@tycho.ws>
2025-07-27 21:11:49 +00:00 · 2017-12-08 23:23:26 +00:00 · 2017-12-08 23:23:26 +00:00 · d76e3e1a5b
commit d76e3e1a5b
parent 4be4832738
1 changed files with 98 additions and 8 deletions
--- a/src/lxc/lxc_init.c
+++ b/src/lxc/lxc_init.c
@ -92,6 +92,86 @@ static struct arguments my_args = {
 	.shortopts = short_options
 };
 static void prevent_forking(void)
 {
 	FILE *f;
 	char name[PATH_MAX], path[PATH_MAX];
 	int ret;
 	f = fopen("/proc/self/cgroup", "r");
 	if (!f) {
 		SYSERROR("opening /proc/self/cgroup");
 		return;
 	}
 	while (!feof(f)) {
 		int fd;
 		if (2 != fscanf(f, "%*d:%[^:]:%s", name, path)) {
 			ERROR("didn't scan the right number of things");
 			goto out;
 		}
 		if (strcmp(name, "pids"))
 			continue;
 		ret = snprintf(name, sizeof(name), "/sys/fs/cgroup/pids/%s/pids.max", path);
 		if (ret < 0 || ret >= sizeof(path)) {
 			ERROR("failed snprintf");
 			goto out;
 		}
 		fd = open(name, O_WRONLY);
 		if (fd < 0) {
 			SYSERROR("open");
 			goto out;
 		}
 		if (write(fd, "1", 1) != 1)
 			SYSERROR("write");
 		close(fd);
 		break;
 	}
 out:
 	fclose(f);
 }
 static void kill_children(pid_t pid)
 {
 	FILE *f;
 	char path[PATH_MAX];
 	int ret;
 	ret = snprintf(path, sizeof(path), "/proc/%d/task/%d/children", pid, pid);
 	if (ret < 0 || ret >= sizeof(path)) {
 		ERROR("failed snprintf");
 		return;
 	}
 	f = fopen(path, "r");
 	if (!f) {
 		SYSERROR("couldn't open %s", path);
 		return;
 	}
 	while (!feof(f)) {
 		pid_t pid;
 		if (fscanf(f, "%d ", &pid) != 1) {
 			ERROR("couldn't scan pid");
 			fclose(f);
 			return;
 		}
 		kill_children(pid);
 		kill(pid, SIGKILL);
 	}
 	fclose(f);
 }
 int main(int argc, char *argv[])
 {
 	int i, ret;
@ -258,18 +338,28 @@ int main(int argc, char *argv[])
 		case SIGTERM:
 			if (!shutdown) {
 				shutdown = 1;
-				ret = kill(-1, SIGTERM);
+				prevent_forking();
-				if (ret < 0)
+				if (getpid() != 1) {
-					DEBUG("%s - Failed to send SIGTERM to "
+					kill_children(getpid());
-					      "all children", strerror(errno));
+				} else {
 					ret = kill(-1, SIGTERM);
 					if (ret < 0)
 						DEBUG("%s - Failed to send SIGTERM to "
 						      "all children", strerror(errno));
 				}
 				alarm(1);
 			}
 			break;
 		case SIGALRM:
-			ret = kill(-1, SIGKILL);
+			prevent_forking();
-			if (ret < 0)
+			if (getpid() != 1) {
-				DEBUG("%s - Failed to send SIGKILL to all "
+				kill_children(getpid());
-				      "children", strerror(errno));
+			} else {
 				ret = kill(-1, SIGTERM);
 				if (ret < 0)
 					DEBUG("%s - Failed to send SIGTERM to "
 					      "all children", strerror(errno));
 			}
 			break;
 		default:
 			ret = kill(pid, was_interrupted);