在Python中启用seccomp后如何干净地退出?
作者:互联网
我在项目中通过python-prctl启用了seccomp.我无法弄清楚如何彻底退出 – 结果总是杀人.
我看到一些使用ctypes或ffi来尝试引用libc的例子,但如果我期望它们使用WIFEXITED,它们似乎也有同样的问题.
示例代码如下.结果总是“我们被杀死了”.
def main():
pid = os.fork()
if not pid:
prctl.set_seccomp(True)
os.write(0, 'Hi\n')
# os._exit(0)
# _exit(0)
# sys._exit(0)
# return
# ?!@#(*! What do?
endpid, status = os.waitpid(pid, 0)
print 'Child forked as %d and returned with %d' % (endpid, status)
if not os.WIFEXITED(status):
print 'Exitted abnormally'
if os.WIFSIGNALED:
if os.WTERMSIG(status) == signal.SIGKILL:
print 'We were killed to death'
else:
print 'Returned with %d' % (os.WEXITSTATUS(status))
快速更新,因为我忘记了libc的东西:
使用其中任何一个定义上面的_exit()仍会导致kill.
# FFI Method
ffi = cffi.FFI()
# Use _exit, which avoids atexit(), etc
ffi.cdef('void _exit(int);')
libc = ffi.dlopen(None)
_exit = libc._exit
…. 要么 ….
# ctypes method
libc = cdll.LoadLibrary('libc-2.18.so')
_exit = libc._exit
解决方法:
有人帮我找到了答案:
In glibc up to version 2.3, the _exit() wrapper function invoked the kernel system
call of the same name. Since glibc 2.3, the wrapper function invokes
exit_group(2), in order to terminate all of the threads in a process.
由于_exit包含exit_group并且exit_group不在seccomp过滤器中….它会被杀死. python执行的strace显示exit_group调用.
标签:python,seccomp 来源: https://codeday.me/bug/20190624/1277426.html