ima-emulator: Implement graceful shutdown #525
Conversation
ansasaki
force-pushed
the
emulator_threads
branch
2 times, most recently
from
70b1a72 to
29dc015
Compare
|
/packit retest-failed |
keylime-ima-emulator/src/main.rs
Outdated
| // FIXME: We could poll IMA_ML as in the python implementation, though | ||
| // the file is not pollable: | ||
| // https://github.com/torvalds/linux/blob/master/security/integrity/ima/ima_fs.c#L267 | ||
| // Better idea might be to check the "runtime_measurements_count" file. |
There was a problem hiding this comment.
Maybe this can be used? https://crates.io/crates/signal-hook
If I read the code it is not using an active loop like in this solution, and the example seems really similar to the current approach.
There was a problem hiding this comment.
I can try, but I'm afraid it will fall into the case mentioned in the comment:
// Do some time-limited stuff here
// (if this could block forever, then there's no guarantee the signal will have any
// effect).
Edit: I mean, we loop forever in the main thread
There was a problem hiding this comment.
Well, apparently it works! I'll push the (much simpler) changes.
There was a problem hiding this comment.
Thank you for the suggestion!
There was a problem hiding this comment.
IIRC in POSIX a signal is not a thread, is a callback that needs to be re-registered.
This adds signal-hook as a dependency for the IMA emulator. The main thread is stopped on Ctrl + C (SIGINT). Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
ansasaki
force-pushed
the
emulator_threads
branch
from
29dc015 to
46b2197
Compare
|
/packit retest-failed |
|
The issues on Fedora Rawhide can be related with a regression: The other issue is again the conflict between i686 and x86_64 packages that for some reason are installed together. |
This adds signal-hook as a dependency for the IMA emulator. The strategy is similar to what is done on the keylime agent: a dedicated thread is spawned to stop the main task on Ctrl + C (SIGINT).