| @@ -864,6 +902,9 @@ static int send_signal(int sig, struct siginfo *info, struct task_struct *t, | * and sent by user using something other than kill(). | */ | return -EAGAIN; | + | + if (from_ancestor_ns) | + return -ENOMEM; | } | | out_set: We had wanted to start with a check like above and improve later. But if sender is from ancestor namespace, we must post the signal even if we don't have the siginfo right ? Otherwise, a SIGKILL from ancestor may get the -ENOMEM ? Conversely, if a signal from same namespace is being posted to cinit, and we don't have siginfo, ->si_pid would be 0 and get_signal_to_deliver() would mistake that the sender is an ancestor ns and process the signal (which should have been ignored). So, maybe we should start with the reverse check ? if (same_ns && (t->signal->flags & SIGNAL_UNKILLABLE)) return -ENOMEM; Sukadev _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers