Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

syscall: synchronization between clone() and execve() #14180

Open
stefanberger opened this issue Feb 1, 2016 · 6 comments
Open

syscall: synchronization between clone() and execve() #14180

stefanberger opened this issue Feb 1, 2016 · 6 comments
Labels
compiler/runtime Issues related to the Go compiler and/or runtime.
Milestone
Unplanned

Comments

@stefanberger
Copy link

I would like to see a synchronization primitive to be added between the clone() and the execve() call in the function forkAndExecInChild here https://golang.org/src/syscall/exec_linux.go so that the parent can setup the child after the clone() but before the execve().
@stefanberger stefanberger changed the title Callback or synchronization between clone() and execve() Synchronization between clone() and execve() Feb 1, 2016
@ianlancetaylor ianlancetaylor changed the title Synchronization between clone() and execve() syscall: synchronization between clone() and execve() Feb 1, 2016
@ianlancetaylor
Copy link
Member

I assume you mean a callback that is executed in the child context. That is not going to happen. There is almost nothing that can be safely done in the child context. You can not allocate memory. You can not start a goroutine. You can call almost none of the functions in the syscall package. Instead our procedure has been that for things that have to happen between clone and exec in the child, we add entries to syscall.SysProcAttr.

I'm going to close this, but please feel free to reopen if you meant something else. An example would help.

@minux
Copy link
Member

minux commented Feb 1, 2016 via email

@stefanberger
Copy link
Author

I am working on namespacing the Linux integrity measurement architecture. Here a new IMA namespace will be created as part of the clone(). We intend to hook up a virtual TPM (TPM emulator) to the IMA namespace but have to do this after the clone() and before the execve(). The problem with the execve() is that it creates 'measurements' and these measurements will be extended into a PCR of the TPM emulator. So the hook-up of the vTPM with the IMA-namespace has to be done by the parent before the child executes the execve().
I initially wrote 'callback' in the title but removed that. It likely would not work so well, so a synchronization primitive, such as two pipes, could be used to indicate to the parent that it can do its job and then indicate to the child that it can proceed. As stated, we would like to be able to execute code in the parent before the child runs the execve().

@ianlancetaylor
Copy link
Member

Thanks for the description. It sounds like it would be sufficient to add a descriptor to syscall.SysProcattr, and for the child to read a byte from that descriptor before calling exec. I think that could be implemented.

@ianlancetaylor ianlancetaylor reopened this Feb 1, 2016
@ianlancetaylor ianlancetaylor added this to the Unplanned milestone Feb 1, 2016
@stefanberger
Copy link
Author

:-) A single pipe will do .

@jessfraz
Copy link
Contributor

I think this should be ok once #20676 is in?

@gopherbot gopherbot added the compiler/runtime Issues related to the Go compiler and/or runtime. label Jul 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
compiler/runtime Issues related to the Go compiler and/or runtime.
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
5 participants
@minux @jessfraz @stefanberger @ianlancetaylor @gopherbot