Fix resume() for COW clones: send SIGCONT instead of no-op

congwang-mk · congwang-mk · commit 39b5c92c63eb · 2026-03-19T20:56:23.000-07:00
Signed-off-by: Cong Wang &lt;cwang@multikernel.io&gt;
diff --git a/src/sandlock/sandbox.py b/src/sandlock/sandbox.py
@@ -284,18 +284,19 @@ def pause(self) -> None:
             os.killpg(p, signal.SIGSTOP)
 
     def resume(self) -> None:
-        """Resume the sandbox by sending SIGCONT to the process group.
+        """Resume the sandbox by sending SIGCONT.
 
-        For COW clones, this is a no-op — clones start running
-        immediately after creation.
+        Uses ``kill`` for COW clones (single process) and ``killpg``
+        for regular sandboxes (entire process group).
         """
-        if self._clone_pid is not None:
-            return  # Clone is already running
         p = self.pid
-        if p is None:
+        if p is None or not self.alive:
             raise SandboxError("No running process to resume")
         try:
-            os.killpg(p, signal.SIGCONT)
+            if self._clone_pid is not None:
+                os.kill(p, signal.SIGCONT)
+            else:
+                os.killpg(p, signal.SIGCONT)
         except ProcessLookupError:
             raise SandboxError("Process no longer exists")
 
diff --git a/tests/test_clone.py b/tests/test_clone.py
@@ -184,5 +184,74 @@ def work():
             os.unlink(path)
 
 
+class TestClonePauseResume(unittest.TestCase):
+    """Verify that pause()/resume() works on COW clones."""
+
+    def test_pause_resume_clone(self):
+        """A paused clone resumes and completes after SIGCONT."""
+        import sys
+        import tempfile
+        import time
+
+        marker = tempfile.mktemp(prefix="sandlock_test_pause_")
+
+        def init():
+            pass
+
+        def work():
+            # Write marker after a brief moment to prove we ran
+            with open(marker, "w") as f:
+                f.write("done")
+
+        policy = Policy(
+            fs_writable=["/tmp"],
+            fs_readable=[sys.prefix, "/usr", "/lib", "/etc", "/proc", "/dev"],
+        )
+
+        with Sandbox(policy, init, work) as sb:
+            clones = sb.fork(1)
+            clone = clones[0]
+            # Give the clone a moment to start
+            time.sleep(0.1)
+            clone.pause()
+            self.assertTrue(clone.is_paused)
+            # Resume and wait for completion
+            clone.resume()
+            clone.wait(timeout=10)
+
+        self.assertTrue(os.path.exists(marker))
+        self.assertEqual(open(marker).read(), "done")
+        os.unlink(marker)
+
+    def test_resume_without_pause_is_harmless(self):
+        """Calling resume() on a running clone should not error."""
+        import sys
+        import tempfile
+
+        marker = tempfile.mktemp(prefix="sandlock_test_resume_noop_")
+
+        def init():
+            pass
+
+        def work():
+            with open(marker, "w") as f:
+                f.write("ok")
+
+        policy = Policy(
+            fs_writable=["/tmp"],
+            fs_readable=[sys.prefix, "/usr", "/lib", "/etc", "/proc", "/dev"],
+        )
+
+        with Sandbox(policy, init, work) as sb:
+            clones = sb.fork(1)
+            clone = clones[0]
+            # resume a non-paused clone — should be harmless
+            clone.resume()
+            clone.wait(timeout=10)
+
+        self.assertTrue(os.path.exists(marker))
+        os.unlink(marker)
+
+
 if __name__ == "__main__":
     unittest.main()
