runtime: use tgkill instead of tkill #27548
Labels
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
OS-Linux
Milestone
Comments
|
Change https://golang.org/cl/133975 mentions this issue: |
bcmills
added
the
NeedsInvestigation
# for free
to subscribe to this conversation on GitHub.
Already have an account?
#.
This has been proposed previously (#24924), but was closed because Android allows tkill.
However, generally tgkill allows creation of a stricter sandbox (note that tkill is only used in runtime.raise to send a signal to the current thread).
With kill and tgkill, the sandbox policy (e.g., seccomp) can prevent the program from sending signals to other processes by checking that the first argument == getpid().
With tkill, the policy must whitelist all tids in the process, which is effectively impossible given Go's dynamic thread creation.
Specifically, this applies to the gVisor project, where we do not allow tkill in our seccomp policy. At the moment, we attempt to emulate the standard Go runtime signal behavior. This works, but I don't see any downsides to using tgkill in raise, and other sandboxed Go programs could benefit, hence this feature request.
cc @ianlancetaylor @eliasnaur
The text was updated successfully, but these errors were encountered: