VSTATUS, with or without SIGINFO
The kernel is able to support up to 64 different signal types, which seems like a fair number, but all 64 are taken, on some architectures at least. That makes it impossible to add new signal types to Linux. Drummond sought to address that problem by raising the limit to 1024, which would surely be enough for all time. Raising the limit requires making some subtle changes to the user-space API (putting a larger signal mask into the information passed to realtime signal handlers, for example) that have the possibility of breaking applications, which means that extra scrutiny would be required. But that, it seems, is what would be needed to be able to add more signals.
Developers immediately wanted to know why there was a need to add signals, and urged Drummond to find an alternative if possible. As Eric Biederman put it:
Please let's not expand the number of signals supported if there is any alternative. Signals only really make sense for supporting existing interfaces. For new applications there is almost always something better.
So why is there a need to add new signals? The answer has roots in ancient history, well before the creation of Linux. The TOPS-10 operating system was developed by Digital Equipment Corporation in the 1970s; one feature it offered was to print a line of status information (what was running, CPU time consumed, etc.) when the user typed control-T. It was a quick way for users to verify that the system was still alive and making progress on whatever task they were running. This feature found its way into VMS later on, and it still exists today in a number of BSD variants. Linux, however, does not have this feature — in that form, anyway.
Within the kernel, there are two aspects to supporting this feature, which goes by the name VSTATUS. The first is to recognize the status request in the terminal driver; this is done using the same logic that recognizes other control characters, such as control-C to send a SIGINT signal to the running process. The kernel would then respond to the keystroke in two ways:
- The kernel will print a status line directly to the terminal with generic information about the running process and the state of the system.
- A SIGINFO signal is sent to the process running on the terminal at the time. Applications can catch this signal to print some status information of their own; a copy application could tell the user how far the copy has progressed, for example.
The Linux kernel doesn't implement VSTATUS, so it won't do either of the above things. Adding the ability to print a status line to the terminal driver is not that hard; neither is sending a signal in response to an event. The problem is that Linux does not implement SIGINFO, so that signal would need to be added and, as noted above, there is no room to add new signals. Thus Drummond's patch set.
This is not the first time that VSTATUS support has been requested; the issue also came up in 2014 and again in 2019 — and undoubtedly other times as well. In 2019, Arseny Maslennikov tried to get around the signal limitation by defining SIGINFO as a synonym for SIGPWR, which was meant to (depending on who is reminiscing at the time) indicate that either a power failure was impending or power had been restored. Either way, the signal is delivered only to the init process, and it tends to be little used on current systems. Repurposing it for VSTATUS requires changing the default action for SIGPWR to "ignore" but otherwise shouldn't prove disruptive to user space.
Or so the developers would hope. Real-world uses of SIGPWR are rare, but they do exist; as Ted Ts'o pointed out, systemd can be made to respond to it, for example. Changing the default handling of SIGPWR would probably not break any user-space applications, but it is hard to know that for sure. If something does break, it could show up years later when the change makes it into an enterprise kernel; at that point, the problem would be nearly impossible to fix to everybody's satisfaction. So it is unsurprising that kernel developers are reluctant to make a change like this.
Over the years, there have also been questions about whether the feature is
really needed or not. As Greg Kroah-Hartman pointed out
in 2019, the kernel's "magic
SysRq" feature does everything VSTATUS does (and a lot more). But
magic SysRq only works on the system console; as Biederman noted in the
above-linked message, a "persuasive case
" could be made for
the utility of this feature for users interacting with systems over SSH,
for example. So a use case for VSTATUS does appear to exist.
Given that, what is to be done? Ts'o's message above included a suggestion:
implement VSTATUS as far as printing the status line from the kernel, but
don't bother sending the SIGINFO signal to user space. That
eliminates the need to add a new signal (or repurpose an old one), which is
where all the problems arise. This
implementation would deprive user space of the ability to add its own
status information, but the number of programs that have ever implemented
SIGINFO handling is quite small; Drummond said
that only sleep, dd, and ping have such support,
"so it's not like there's a vast hole
in the tooling or something, nor is there a large legacy software base
just waiting for SIGINFO to appear
". He readily agreed
to leave out the SIGINFO part.
The followup patch set without SIGINFO has not been posted as
of this writing. Once it arrives, there should not be a great deal of
opposition to its merging into the mainline; at that point, Linux will have
most of the VSTATUS functionality that is offered by the BSDs. If it turns
out later on that somebody really needs the SIGINFO part, that
whole problem can be reconsidered. Meanwhile, though, the kernel community
is happy to kick that can further down the road.
| Index entries for this article | |
|---|---|
| Kernel | Signal handling |
Posted Jan 6, 2022 19:48 UTC (Thu)
by NYKevin (subscriber, #129325)
[Link] (13 responses)
Posted Jan 6, 2022 20:16 UTC (Thu)
by pdewacht (subscriber, #47633)
[Link] (12 responses)
Posted Jan 6, 2022 20:44 UTC (Thu)
by josh (subscriber, #17465)
[Link]
Posted Jan 6, 2022 23:03 UTC (Thu)
by walters (subscriber, #7396)
[Link] (8 responses)
Posted Jan 6, 2022 23:40 UTC (Thu)
by neilbrown (subscriber, #359)
[Link] (7 responses)
Posted Jan 7, 2022 1:20 UTC (Fri)
by NYKevin (subscriber, #129325)
[Link] (6 responses)
1. What is described above, where applications opt into receiving SIGUSR1, or possibly another signal. Pros: Some apps already have signal handlers for SIGUSR1, so this is a one-line change for them. Cons: Signals suck.
Posted Jan 7, 2022 5:26 UTC (Fri)
by neilbrown (subscriber, #359)
[Link]
Posted Jan 7, 2022 5:39 UTC (Fri)
by alison (subscriber, #63752)
[Link] (4 responses)
Posted Jan 7, 2022 5:52 UTC (Fri)
by alison (subscriber, #63752)
[Link] (3 responses)
``t`` Will dump a list of current tasks and their information to your
which seems inspired by Ctrl-T signals. It is a bit hard to see why another signal is needed.
Posted Jan 7, 2022 8:24 UTC (Fri)
by taladar (subscriber, #68407)
[Link] (2 responses)
Posted Jan 7, 2022 14:34 UTC (Fri)
by abatters (✭ supporter ✭, #6932)
[Link] (1 responses)
echo t > /proc/sysrq-trigger
Posted Jan 7, 2022 17:54 UTC (Fri)
by flussence (guest, #85566)
[Link]
Posted Jan 8, 2022 11:50 UTC (Sat)
by fw (subscriber, #26023)
[Link]
Posted Jan 9, 2022 16:57 UTC (Sun)
by mm7323 (subscriber, #87386)
[Link]
Posted Jan 6, 2022 21:00 UTC (Thu)
by neilbrown (subscriber, #359)
[Link] (4 responses)
Because of course there is only one process running on a terminal at a time. Pipelines don't exist...
I wonder what happens if multiple processes in a pipeline respond to the signal. Do their status messages get intermingled?
If I recall correctly, RSTS/E responded to ctrl-T as well.
Posted Jan 6, 2022 21:28 UTC (Thu)
by mpr22 (subscriber, #60784)
[Link]
One approach (and I'm not necessarily advocating it) would be:
Which process has the terminal on fd 0 and would NOT get SIGTTIN if it tried to read from fd 0?
That's the one that should get the signal.
Posted Jan 7, 2022 2:29 UTC (Fri)
by kschendel (subscriber, #20465)
[Link]
Well, of course they don't. It was TOPS-10. A process either belonged to a terminal, or was a daemon. In fact, the word "process" wasn't used much, outside of register W being the PDB (process data block). A more commonly used term was "job".
This brings back (mostly) fond memories of hammering on control-T to find out whether the internal dev KL10 had crashed again or not. Realistically, control-T was usually about as useful as an elevator Close Door button, but much more rewarding.
Posted Jan 7, 2022 3:05 UTC (Fri)
by wahern (subscriber, #37304)
[Link] (1 responses)
Technically SIGINFO is sent to the foreground process group: https://github.com/openbsd/src/blob/5a74f40/sys/kern/tty..... But for the kernel-generated message, it seems the kernel picks just one foreground process to report on. On OpenBSD the relevant code (https://github.com/openbsd/src/blob/5a74f40/sys/kern/tty....) in ttyinfo is commented thusly,
/*
The termios(4) manual page STATUS description on FreeBSD and macOS comport with that behavior.
> I wonder what happens if multiple processes in a pipeline respond to the signal. Do their status messages get intermingled?
AFAICT, yes, but that's not really any different than other situations where multiple processes share stderr. Normally message formatting and write atomicity (up to PIPE_BUF, maybe more if writes to a TTY have better guarantees?) will preserve line boundaries if only by accident, and in interactive sessions usually that's good enough. That said, the OpenBSD code sends SIGINFO *before* printing the kernel message, and it doesn't look like there's any buffering involved. ttyprintf calls kprintf without the optional output buffer, which results in kprintf printing the formatted message byte-by-byte straight to the tty (kprintf -> kputchar -> tputchar -> ttyoutput). See subr_prf.c and tty.c. But maybe there's some buffering lower down in the tty layer or higher up with a lock on the TTY? (I've expended my curiosity.) If not it would seem better to print the kernel diagnostic before invoking SIGINFO.
Posted Jan 7, 2022 3:28 UTC (Fri)
by wahern (subscriber, #37304)
[Link]
Posted Jan 7, 2022 1:13 UTC (Fri)
by judas_iscariote (guest, #47386)
[Link]
Posted Jan 7, 2022 6:17 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link] (20 responses)
One simple proposal:
This would make signals so much more usable.
Posted Jan 7, 2022 12:10 UTC (Fri)
by mathstuf (subscriber, #69389)
[Link] (19 responses)
Posted Jan 7, 2022 17:49 UTC (Fri)
by flussence (guest, #85566)
[Link]
Posted Jan 7, 2022 19:17 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Jan 8, 2022 9:18 UTC (Sat)
by roc (subscriber, #30627)
[Link] (16 responses)
Posted Jan 9, 2022 22:33 UTC (Sun)
by NYKevin (subscriber, #129325)
[Link] (15 responses)
Anyway, the purpose of signalfd is not to share signals with other processes, it's to make signals less painful for people who are already in the business of writing an epoll/select loop, and don't want to faff about with pselect, signal handlers, etc. For this purpose, it works just fine.
Posted Jan 10, 2022 2:16 UTC (Mon)
by ibukanov (subscriber, #3942)
[Link] (4 responses)
Posted Jan 10, 2022 3:06 UTC (Mon)
by NYKevin (subscriber, #129325)
[Link] (3 responses)
Posted Jan 10, 2022 9:22 UTC (Mon)
by ibukanov (subscriber, #3942)
[Link] (2 responses)
As described above, in normal usage one blocks the signals that will be accepted via signalfd(). If spawning a child process to execute a helper program (that does not need the signalfd file descriptor), then, after the call to fork(2), you will normally want to unblock those signals before calling execve(2), so that the helper program can see any signals that it expects to see. Be aware, however, that this won't be possible in the case of a helper program spawned behind the scenes by any library function that the program may call. In such cases, one must fall back to using a traditional signal handler that writes to a file descriptor monitored by select(2), poll(2), or epoll(7).
Surely if one controls the code and does not use libraries that executes processes it is fine. But it easy to forget about that. So in one code I just used a signal handler and pipe. As a bonus the code stays compatible with BSD. What is puzzling is that in all those years since signalfd were added no flag were added to reset blocked signals on exec.
Posted Jan 10, 2022 19:25 UTC (Mon)
by NYKevin (subscriber, #129325)
[Link] (1 responses)
I'm not really a fan of libraries randomly forking off temporary processes without the application code's knowledge or consent, to be honest. Sure, if a library is specifically designed to do something like implement a process pool, I suppose it's unavoidable, but if you're just forking off a process because you can, then maybe don't do that.
Posted Jan 11, 2022 11:23 UTC (Tue)
by ibukanov (subscriber, #3942)
[Link]
As for pselect if one writes to a pipe in the signal handler, then one does not need that. I wish that somebody would come up with a flag or something not to keep signals blocked across exec similarly to noexec flags to file descriptors, but I guess that writing to a pipe from a signal handler is so common knowledge that nobody bothered.
Posted Jan 10, 2022 3:37 UTC (Mon)
by nybble41 (subscriber, #55106)
[Link] (5 responses)
From a security point of view, the process calling signalfd() does not have the capability to block signals in arbitrary other processes, or to access data about those signals, so it should not be possible for it to send a file descriptor with those effects to another process. Even if the receiving process is blocking and getting data about its *own* signals, it's still a security risk since those signal handlers shouldn't be blocked and data about the process state, including code addresses otherwise protected by ASLR, might be leaked. (The receiving process would reasonably assume that any data read from the FD would also have been available to the sender—which is not true for signalfd file descriptors.)
Posted Jan 10, 2022 7:23 UTC (Mon)
by NYKevin (subscriber, #129325)
[Link] (4 responses)
Current behavior where signalfd always gives your own signals: signalfd does not mask or ignore signals just by existing. If you completely ignore it, then it doesn't do anything, so unexpectedly sending someone a signalfd accomplishes nothing from a security perspective, at least as far as I understand its semantics.
Proposed behavior where signalfd operates cross-thread or cross-process: 🤷♂️. I'm having a hard time believing you can maintain the "doesn't block signals automatically" invariant and *also* maintain the "every signal is delivered exactly once" invariant, but I don't know enough about the implementation to say that for sure.
Posted Jan 10, 2022 7:34 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link]
That's because a way to asynchronously interrupt a thread is extremely useful for many practical purposes. For example, Golang uses signals to force GC in tight loops without having to poll for it. But you have to jump through lots of hoops to be able to use signals. They are completely useless for libraries or anything that shares address space, like plugins (Flash plugin signal bug comes to mind).
Windows has a similar mechanism: APC (Asynchronous Procedure Calls) - https://docs.microsoft.com/en-us/windows/win32/sync/async... and it's extremely useful for some low-level functionality.
Posted Jan 10, 2022 15:46 UTC (Mon)
by nybble41 (subscriber, #55106)
[Link] (2 responses)
Sure, if you completely ignore the received file descriptor it doesn't do anything. The same would apply for the proposed alternative version—just holding a signalfd from another process would have no effect on either process. But generally one would expect the receiving process to *read* from the file descriptor, which for signalfd is the part that affects signal delivery.
Posted Jan 10, 2022 19:18 UTC (Mon)
by NYKevin (subscriber, #129325)
[Link] (1 responses)
The basic principle remains, however, that writing setuid binaries is an extremely fragile process and you need to be highly paranoid about absolutely everything. signalfd does not materially change that fact (especially since it's been in Linux "since kernel 2.6.22" according to signalfd(2), so the people who make these binaries really should be aware of it by now...).
Posted Jan 12, 2022 2:46 UTC (Wed)
by nybble41 (subscriber, #55106)
[Link]
Do you have any examples of situations where this would be an issue, apart from signalfd()? Passing file descriptors has been a standard part of various protocols for a long time now, including between processes of different privilege levels. The expectation is that reading from a file descriptor has the same effect in both the sending and receiving processes, which would imply that there is no security issue. The signalfd API breaks that expectation.
The problem isn't limited to SUID binaries. The destination could be any process running as a different user. The Wayland clipboard protocol[0], to pick one example, involves sending a file descriptor from the data source to the client obtaining the data, which is expected to read the content from the provided file descriptor after negotiating the format. These processes need not belong to the same user.
Also, /dev/stdin is a potential risk as an inherited FD which the target process does not open itself. Do SUID binaries routinely check FD 0 with fstat() before reading input to verify that it isn't a signalfd file descriptor, as opposed to a file, socket, pipe, tty, etc.—basically anything other than signalfd—which could be a reasonable and safe input source?
The behavior and permissions of a file descriptor should be determined by who opens or creates the descriptor, not who reads from it.
[0] https://wayland.freedesktop.org/docs/html/ch04.html#sect-...
Posted Jan 10, 2022 9:57 UTC (Mon)
by roc (subscriber, #30627)
[Link] (3 responses)
I think my preferred behavior for signalfd would be that the signal is available through the fd if and only if it is blocked in the process that is the source of the signalfd, i.e. if the signal is unblocked (by the user or in the synchronous case) then signalfd doesn't get it.
> Anyway, the purpose of signalfd is not to share signals with other processes
Maybe that's not the original purpose, but the whole point of orthogonal API design and "everything is a file" is that you can compose features to address new use cases not anticipated by the designers of the individual APIs.
In rr and Pernosco we have a couple of instances of a non-uncommon case: the user runs a process A that in some cases forwards its work to another process B in an unrelated part of the process tree. We want signals like SIGINT, SIGTERM etc sent to A to be handled in B. signalfd looks like it should work for this, but it doesn't, because it has this very strange behavior that what you read from the file descriptor depends on which process is reading from it. Instead we pretend it's the 1980s and install signal handlers that write data to a pipe.
Posted Jan 10, 2022 19:40 UTC (Mon)
by NYKevin (subscriber, #129325)
[Link] (2 responses)
I see. That makes a great deal of sense to me, but I would still be concerned about all of the following:
* What data structure holds the list of pending signals for a given process or thread? How thread-safe is this structure?
> I think my preferred behavior for signalfd would be that the signal is available through the fd if and only if it is blocked in the process that is the source of the signalfd, i.e. if the signal is unblocked (by the user or in the synchronous case) then signalfd doesn't get it.
* Does this cause thread-safety issues with pselect, which has to atomically (modify the signal mask) and (wait for FD events)? What if you use pselect to unmask a signal which is associated with a signalfd that you are pselecting against? I should expect that to Just Work (i.e. it always executes the signal handler and never returns a ready-to-read event for the signalfd), regardless of when the signal arrives. Is the current implementation prepared to do that?
Posted Jan 10, 2022 20:29 UTC (Mon)
by roc (subscriber, #30627)
[Link] (1 responses)
> What if you use pselect to unmask a signal which is associated with a signalfd that you are pselecting against?
The signal will be delivered normally and not be received by the signalfd. That seems to be the only reasonable behavior.
Posted Jan 10, 2022 20:32 UTC (Mon)
by roc (subscriber, #30627)
[Link]
Posted Jan 7, 2022 7:32 UTC (Fri)
by bof (subscriber, #110741)
[Link] (2 responses)
tty/pty suddenly reacting to Ctrl-T, will be a regression for anything now sending ctrl-T through e.g. an ssh session to some remote process and not requesting no-pty, whatever the use of that might be - and use cases doing that, would then break.
Right?
Posted Jan 7, 2022 9:34 UTC (Fri)
by neilbrown (subscriber, #359)
[Link] (1 responses)
Posted Jan 7, 2022 18:52 UTC (Fri)
by bof (subscriber, #110741)
[Link]
Posted Jan 7, 2022 10:41 UTC (Fri)
by dveeden (subscriber, #120424)
[Link]
http://dtrace.org/blogs/brendan/2013/10/05/control-t-for-...
Posted Jan 8, 2022 17:21 UTC (Sat)
by jrtc27 (subscriber, #107748)
[Link] (2 responses)
* bin/chflags
So it turns out people tend to add support for features if they exist and not when they don't.
Posted Jan 20, 2022 5:42 UTC (Thu)
by Shabbyx (guest, #104730)
[Link] (1 responses)
Posted Jan 20, 2022 5:43 UTC (Thu)
by Shabbyx (guest, #104730)
[Link]
Posted Jan 10, 2022 3:10 UTC (Mon)
by NightMonkey (subscriber, #23051)
[Link]
If one were to come upon terminal either powered off or with a lonely blinking cursor or teletype with no text, what is a quick, non-intrusive way to see if a process is running, or not? Our friend "Ctrl-T". :)
This approach has a practical benefit, too. If the previous user was not really very responsible, or was late for their class/party/wedding/funeral, they could have left their TTY at the input prompt of any program. The next person to not use Ctrl-T, but instead hit space or return or enter could set off whatever was on the other side of that input statement or request... which could be a reboot, a disk erase, a terminal lock, etc.
You see where I'm going with this... ;) Cheers.
VSTATUS, with or without SIGINFO
As long as we're over-engineering, what about letting applications opt-in with something like this? :p
VSTATUS, with or without SIGINFO
prctl(PR_VSTATUS_SIGNAL, SIGUSR1)
VSTATUS, with or without SIGINFO
VSTATUS, with or without SIGINFO
VSTATUS, with or without SIGINFO
Setting up a pollable fd to get status request notifications might be better.
Maybe a way to request POLLPRI notifications on the tty fd, and an ioctl to request timestamp of most recent status request.
VSTATUS, with or without SIGINFO
2. What you describe, where applications have to hook this into their main event loops somehow, which for some applications would entail *writing* a main event loop in the first place. Pros: The design is clearly superior to signals. Cons: What if you build it and nobody comes? More prosaically, this is not a one-line change for existing apps, and I'm sure that at least one will say "To hell with it, that's too much work for a minor status-reporting feature. Just manually run kill -SIGUSR1 if you really want us to output a status line."
VSTATUS, with or without SIGINFO
Arrange that fcntl(F_SETSIG) on the tty fd can cause the requested signal to be sent for the status request.
VSTATUS, with or without SIGINFO
VSTATUS, with or without SIGINFO
console.
VSTATUS, with or without SIGINFO
VSTATUS, with or without SIGINFO
dmesg
VSTATUS, with or without SIGINFO
VSTATUS, with or without SIGINFO
VSTATUS, with or without SIGINFO
VSTATUS, with or without SIGINFO
I don't remember it supporting pipelines though.
VSTATUS, with or without SIGINFO
VSTATUS, with or without SIGINFO
VSTATUS, with or without SIGINFO
>
> Because of course there is only one process running on a terminal at a time.
* Find the most active thread:
* - prefer runnable
* - prefer higher pctcpu
* - prefer living
* Otherwise take the newest thread
*/
VSTATUS, with or without SIGINFO
VSTATUS, with or without SIGINFO
Replace signals!
1. Use file descriptors for signal numbers.
2. Signals are raised by writing a special "struct signal_info_t" into that descriptor.
3. Third-party processes can either receive the descriptor through usual descriptor sending means or use "/proc/pid/<fd>" files.
4. Signals are delivered asynchronously, with the usual semantics. With a way to get the copy of signal_info_t associated with the signal.
Replace signals!
Replace signals!
Replace signals!
Replace signals!
Replace signals!
Replace signals!
Replace signals!
Replace signals!
Replace signals!
Replace signals!
Replace signals!
Replace signals!
Replace signals!
Replace signals!
Replace signals!
Replace signals!
Replace signals!
Replace signals!
* Is it possible to atomically dequeue a signal from the list, without taking a mutex?
* If the above is not currently possible, what would be the performance overhead of modifying the data structure so that it is amenable to atomic operations?
* What does the existing "inject a signal handler" code path look like? Can the dequeue be cleanly separated from the injection, or are they tightly coupled? Presumably, you have to preempt the thread before the dequeue (to prevent the thread from exiting or blocking the signal before you can inject the handler), so I imagine there must be some amount of coupling there...
Replace signals!
Replace signals!
VSTATUS, with or without SIGINFO
VSTATUS, with or without SIGINFO
VSTATUS, with or without SIGINFO
VSTATUS, with or without SIGINFO
VSTATUS, with or without SIGINFO
* bin/chmod
* bin/cp
* bin/dd
* bin/rm
* bin/sleep
* sbin/devd (like udev)
* sbin/dump (creates a full dump from a UFS filesystem that can be later restored)
* sbin/fsck_ffs
* sbin/newfs_msdos
* sbin/ping
* sbin/savecore (kernel core dumps)
* usr.bin/du
* usr.bin/fetch (lightweight curl/wget equivalent)
* usr.bin/gzip
* usr.bin/sort
* usr.bin/time
* usr.bin/wc
* usr.sbin/camdd (like dd but can use pass(4) for issuing asynchronous reads/writes directly to the CAM storage layer in the kernel)
* usr.sbin/chown
VSTATUS, with or without SIGINFO
VSTATUS, with or without SIGINFO
VSTATUS, with or without SIvGINFO