From 116d1763d91914b9220847fb98333ebda052f66a Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Mon, 30 Jun 2025 15:55:21 -0600 Subject: [PATCH] lib: opt-in signal handlers Instead of enabling signal handlers by default, require the user of the library to opt-in. This is done with the call to SCEnableDefaultSignalHandlers, which sets a flag to add the default signal handlers. This seems like the least invasive way to do this at this time, but it will require some re-thinking for 9.0, especially if migrate globals to engine instances, signal handling will need to be re-thought. Ticket: #6814 --- examples/lib/custom/main.c | 6 ++++++ examples/lib/simple/main.c | 3 +++ src/main.c | 3 +++ src/suricata.c | 11 +++++++++-- src/suricata.h | 7 +++++++ 5 files changed, 28 insertions(+), 2 deletions(-) diff --git a/examples/lib/custom/main.c b/examples/lib/custom/main.c index 200936cae0..0f0616690f 100644 --- a/examples/lib/custom/main.c +++ b/examples/lib/custom/main.c @@ -202,6 +202,12 @@ int main(int argc, char **argv) exit(EXIT_FAILURE); } + /* Enable default signal handlers including SIGHUP for log file rotation, + * and SIGUSR2 for reloading rules. This should be done with care by a + * library user as the application may already have signal handlers + * loaded. */ + SCEnableDefaultSignalHandlers(); + /* Set "offline" runmode to replay a pcap in library mode. */ if (!SCConfSetFromString("runmode=offline", 1)) { exit(EXIT_FAILURE); diff --git a/examples/lib/simple/main.c b/examples/lib/simple/main.c index f9c09fb0f5..f8bead08c9 100644 --- a/examples/lib/simple/main.c +++ b/examples/lib/simple/main.c @@ -47,6 +47,9 @@ int main(int argc, char **argv) exit(EXIT_FAILURE); } + /* Enable default signal handlers just like Suricata. */ + SCEnableDefaultSignalHandlers(); + SuricataInit(); SuricataPostInit(); diff --git a/src/main.c b/src/main.c index f9fcbf5e2c..86367c1ef1 100644 --- a/src/main.c +++ b/src/main.c @@ -49,6 +49,9 @@ int main(int argc, char **argv) exit(EXIT_FAILURE); } + /* Enable default signal handlers */ + SCEnableDefaultSignalHandlers(); + /* Initialization tasks: apply configuration, drop privileges, * etc. */ SuricataInit(); diff --git a/src/suricata.c b/src/suricata.c index 57bbf17552..f7b62c9dd2 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -286,6 +286,11 @@ void SCRunmodeSet(SCRunMode run_mode) suricata.run_mode = run_mode; } +void SCEnableDefaultSignalHandlers(void) +{ + suricata.install_signal_handlers = true; +} + /** signal handlers * * WARNING: don't use the SCLog* API in the handlers. The API is complex @@ -2870,8 +2875,10 @@ int PostConfLoadedSetup(SCInstance *suri) if (MayDaemonize(suri) != TM_ECODE_OK) SCReturnInt(TM_ECODE_FAILED); - if (InitSignalHandler(suri) != TM_ECODE_OK) - SCReturnInt(TM_ECODE_FAILED); + if (suri->install_signal_handlers) { + if (InitSignalHandler(suri) != TM_ECODE_OK) + SCReturnInt(TM_ECODE_FAILED); + } /* Check for the existence of the default logging directory which we pick * from suricata.yaml. If not found, shut the engine down */ diff --git a/src/suricata.h b/src/suricata.h index 5e1e72259c..6344e4ee71 100644 --- a/src/suricata.h +++ b/src/suricata.h @@ -160,6 +160,8 @@ typedef struct SCInstance_ { bool set_datadir; bool unix_socket_enabled; + bool install_signal_handlers; /**< Install default signal handlers */ + int delayed_detect; int disabled_detect; int daemon; @@ -214,6 +216,11 @@ SCRunMode SCRunmodeGet(void); */ void SCRunmodeSet(SCRunMode run_mode); +/** + * \brief Enable default signal handlers. + */ +void SCEnableDefaultSignalHandlers(void); + int SuriHasSigFile(void); void SuricataPreInit(const char *progname); -- 2.47.2