Security modules and sending signals within the same process
fweimer at redhat.com
Tue Dec 11 10:42:20 UTC 2018
* Stephen Smalley:
> Looks like commit 065add3941bd ("signals: check_kill_permission():
> don't check creds if same_thread_group()") skipped the uid-based
> checks if the sender and target were in the same thread group, but not
> the security hook call. One could argue that the security hook call
> ought to be skipped in that case as well using the same rationale
> given in that commit. Nothing appears to guarantee the property you
> state above for security_task_kill implementations, although none of
> the in-tree users are based on uids or gids so setresuid/setresgid
> shouldn't affect them.
Okay, thanks, so it looks like I don't have to do anything special to
support thread cancellation.
More information about the Linux-security-module-archive