Skip to content

sigaction

Intro

sigaction - manipulate signal actions

Description

This event manipulates the action taken by a process on receipt of particular signal. These signals can be generated internally by the kernel, by user programs, or sourced externally from the hardware. The action parameter describes what is to be done when the signal arrives.

The program specifies an action and a signal number, along with an optional set of flags which modify the behavior of the signal. The act argument points to a structure which specifies a signal handler and also includes a set of flags that modify the behavior of the sigaction call. The oact argument points to a location where a copy of the old signal action is stored.

This syscall is used when user has to register multiple signal handlers and modify existing registered actions efficiently. Since different signals can be received, sigaction helps in implementing context-dependent behavior in the application, allowing it to react differently to different signals.

Arguments

  • sig:int - the signal number
  • act:const struct sigaction*[K] - a pointer to a signal-handling function or a set of flags
  • oact:struct sigaction*[K-TOCTOU] - an optional pointer to a signal-handling function or a set of flags

Available Tags

  • K - Originated from kernel-space.
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)

Hooks

do_sigaction

Type

Kprobe

Purpose

To trace the signal action taken when signal deliveres

do_signal

Type

Kprobe

Purpose

To trace the signal action taken when signal occurs

Example Use Case

This event is useful for system administrators monitoring applications. When an application fails, signals can be sent to the application to notify the administrator and/or take action. This event can be used to trace these signal actions and create an audit trail.

Issues

The signal may arrive between the time when sigaction is called and when the signal handler is installed. This means that a signal the user didn't anticipate can still arrive, causing parts of the application to misbehave.

  • sigprocmask - Get and/or change the signal mask of a process (which signals are blocked)
  • sigpending - Get list of signals that are blocked and pending for delivery to the process

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.