Security modules and sending signals within the same process

Stephen Smalley sds at tycho.nsa.gov
Fri Nov 30 16:02:15 UTC 2018


On 11/30/18 10:14 AM, Florian Weimer wrote:
> Is it guaranteed that tasks in the same thread group can always send
> signals to each other, irrespective of their respective credentials
> structs?
> 
> It's not clear to me whether this is always possible based on the
> security_task_kill implementations I've examined.
> 
> I want to support per-thread setresuid/setresgid, but we also use
> signals for inter-thread communication.  This is mainly for thread
> cancellation; the setxgid stuff isn't needed for threads with private
> credentials.  I wonder if I need to disable cancellation for threads
> with such credentials.

(fixed selinux list address, which moved to vger)

Looks like commit 065add3941bd ("signals: check_kill_permission(): don't 
check creds if same_thread_group()") skipped the uid-based checks if the 
sender and target were in the same thread group, but not the security 
hook call.  One could argue that the security hook call ought to be 
skipped in that case as well using the same rationale given in that 
commit.  Nothing appears to guarantee the property you state above for 
security_task_kill implementations, although none of the in-tree users 
are based on uids or gids so setresuid/setresgid shouldn't affect them.



More information about the Linux-security-module-archive mailing list