Security modules and sending signals within the same process
Casey Schaufler
casey at schaufler-ca.com
Fri Nov 30 17:54:44 UTC 2018
On 11/30/2018 7:14 AM, Florian Weimer wrote:
> Is it guaranteed that tasks in the same thread group can always send
> signals to each other, irrespective of their respective credentials
> structs?
No. An LSM may chose to disallow this based on just about any
criteria it desires.
> It's not clear to me whether this is always possible based on the
> security_task_kill implementations I've examined.
SELinux, Smack and AppArmor make their decisions based on
the task_struct credential, so if it's possible to change
the LSM attributes at the task granularity, it's possible
to have a process that can't always talk to itself.
> I want to support per-thread setresuid/setresgid,
That's pretty dangerous in its own right. Effectively
the process containing the threads has multiple UIDs.
That complicates the DAC model significantly.
> but we also use
> signals for inter-thread communication.
It's unfortunate that no one has seriously proposed
mode bits on processes for signal delivery. The UID
matching policy is inconvenient in a lot of cases.
Hmmm...
> This is mainly for thread
> cancellation; the setxgid stuff isn't needed for threads with private
> credentials. I wonder if I need to disable cancellation for threads
> with such credentials.
>
> Thanks,
> Florian
>
More information about the Linux-security-module-archive
mailing list