GithubBackup/IP-Sentinel
1
0
Fork 0
mirror of https://github.com/hotyue/IP-Sentinel.git synced 2026-05-12 01:09:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(core): 引入 systemd-run 逃逸机制,彻底修复 OTA 升级时因子进程被 Cgroup 误杀导致的假死漏洞

Browse Source
This commit is contained in:
hotyue
2026-04-20 17:13:48 +00:00
parent 172f1e0209
commit 34f2c7e123
2 changed files with 18 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
core/agent_daemon.sh
View File

@@ -375,10 +375,17 @@ class AgentHandler(http.server.BaseHTTPRequestHandler):
self.wfile.write(b"Action Accepted: trigger_ota\n")
# 挂起异步升级进程 (注入 SILENT_OTA 旁路变量跳过所有 read -p 交互)
# 注意:这里我们写死拉取 dev-v3.6.0 分支的安装脚本进行覆盖测试,未来正式版上线时会改回 main
repo_url = "https://raw.githubusercontent.com/hotyue/IP-Sentinel/dev-v3.6.0"
ota_cmd = f"export SILENT_OTA='true'; curl -sL {repo_url}/core/install.sh | bash > /opt/ip_sentinel/logs/ota_upgrade.log 2>&1 &"
subprocess.Popen(['bash', '-c', ota_cmd])
import shutil
repo_url = "https://raw.githubusercontent.com/hotyue/IP-Sentinel/main"
ota_cmd = f"export SILENT_OTA='true'; curl -sL {repo_url}/core/install.sh | bash > /opt/ip_sentinel/logs/ota_upgrade.log 2>&1"
# [修复] 逃逸 Systemd Cgroup防止 Agent 在升级时被同归于尽机制误杀
if shutil.which("systemd-run"):
full_cmd = f"systemd-run --quiet --no-block bash -c \"{ota_cmd}\""
else:
full_cmd = f"nohup bash -c \"{ota_cmd}\" &"
subprocess.Popen(full_cmd, shell=True)
except Exception as e:
self.send_response(500)

8
master/tg_master.sh
View File

@@ -267,7 +267,13 @@ while true; do
# 抛出幽灵进程进行脱壳升级,传递静默变量与回执 ID
export SILENT_MASTER_OTA="true"
export OTA_CHAT_ID="$CHAT_ID"
nohup bash /tmp/install_master.sh >/dev/null 2>&1 & disown
# [修复] 逃逸 Systemd Cgroup防止被同归于尽机制误杀
if command -v systemd-run >/dev/null 2>&1; then
systemd-run --quiet --no-block /bin/bash /tmp/install_master.sh
else
nohup bash /tmp/install_master.sh >/dev/null 2>&1 & disown
fi
# 当前旧进程休眠并等待被幽灵进程处决
sleep 10