sigaction - manipulate signal actions
This event manipulates the action taken by a process on receipt of particular signal. These signals can be generated internally by the kernel, by user programs, or sourced externally from the hardware. The action parameter describes what is to be done when the signal arrives.
The program specifies an action and a signal number, along with an optional set of flags which modify the behavior of the signal. The act argument points to a structure which specifies a signal handler and also includes a set of flags that modify the behavior of the sigaction call. The oact argument points to a location where a copy of the old signal action is stored.
This syscall is used when user has to register multiple signal handlers and modify existing registered actions efficiently. Since different signals can be received, sigaction helps in implementing context-dependent behavior in the application, allowing it to react differently to different signals.
int- the signal number
const struct sigaction*[K] - a pointer to a signal-handling function or a set of flags
struct sigaction*[K-TOCTOU] - an optional pointer to a signal-handling function or a set of flags
- K - Originated from kernel-space.
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
To trace the signal action taken when signal deliveres
To trace the signal action taken when signal occurs
Example Use Case¶
This event is useful for system administrators monitoring applications. When an application fails, signals can be sent to the application to notify the administrator and/or take action. This event can be used to trace these signal actions and create an audit trail.
The signal may arrive between the time when
sigaction is called and when the signal handler is installed. This means that a signal the user didn't anticipate can still arrive, causing parts of the application to misbehave.
sigprocmask- Get and/or change the signal mask of a process (which signals are blocked)
sigpending- Get list of signals that are blocked and pending for delivery to the process
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.