signalfd¶

Intro¶

signalfd - creates a file descriptor that can be used to accept signals

Description¶

signalfd() creates an object of type “signalfd” that can be used to accept signals. The signalfd file descriptor is returned. Once it is created, the signals specified in the set argument will be accepted by the file descriptor and handled according to the flags argument. If multiple threads are waiting for the same signal, their calls to signalfd() will all be queued; each call will receive the same signalfd. If the same signal is received though, the previous one will be packed into the structure until it is read by the user.

The events signalled by a signalfd() call can be edge-triggered or level-triggered depending on the flags argument. The signalfd() call also allows for implementation of a signal queue.

Advantages of using signalfd() instead of signal() include increased file descriptor limits, asynchronous notification and synchronization of signal delivery. Signalfd() calls are also generally more reliable than their signal() counterparts and more efficient in terms of CPU usage.

Arguments¶

fd:int[K] - file descriptor returned.
mask:sigset_t*[U, TOCTOU] - pointer to the signals that will be handled by the file descriptor.
flags:int[K] - flags that determine if the handled signals will be edge- or level-triggered.

Available Tags¶

K - Originated from kernel-space.
U - Originated from user space (for example, pointer to user space memory used to get it)
TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
OPT - Optional argument - might not always be available (passed with null value)

Hooks¶

do_signalfd¶

Type¶

kretprobe

Purpose¶

Hook the return point from signalfd.

do_signalfd4¶

Type¶

kprobe

Purpose¶

Hook the sycall signalfd entry point.

Example Use Case¶

Signalfd can be used to provide asynchronous notification of pending signals. For instance, a multitasking daemons or services could be designed to respond quickly to events and signals received by certain file descriptors.

Issues¶

Signalfd is subject to the Time of check-time of use race condition, where the operation between a check on the validity of a resource and an operation on the same resource is visible or exploitable.

select - Can be used to multiplexing I/O operations on multiple file descriptors in a single thread.
pselect - Same as select but also sets a timeout argument to prevent blocking.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.

signalfd¶

Intro¶

Description¶

Arguments¶

Available Tags¶

Hooks¶

do_signalfd¶

Type¶

Purpose¶

do_signalfd4¶

Type¶

Purpose¶

Example Use Case¶

Issues¶

Related Events¶