Security modules and sending signals within the same process
Stephen Smalley
sds at tycho.nsa.gov
Fri Nov 30 16:02:15 UTC 2018
On 11/30/18 10:14 AM, Florian Weimer wrote:
> Is it guaranteed that tasks in the same thread group can always send
> signals to each other, irrespective of their respective credentials
> structs?
>
> It's not clear to me whether this is always possible based on the
> security_task_kill implementations I've examined.
>
> I want to support per-thread setresuid/setresgid, but we also use
> signals for inter-thread communication. This is mainly for thread
> cancellation; the setxgid stuff isn't needed for threads with private
> credentials. I wonder if I need to disable cancellation for threads
> with such credentials.
(fixed selinux list address, which moved to vger)
Looks like commit 065add3941bd ("signals: check_kill_permission(): don't
check creds if same_thread_group()") skipped the uid-based checks if the
sender and target were in the same thread group, but not the security
hook call. One could argue that the security hook call ought to be
skipped in that case as well using the same rationale given in that
commit. Nothing appears to guarantee the property you state above for
security_task_kill implementations, although none of the in-tree users
are based on uids or gids so setresuid/setresgid shouldn't affect them.
More information about the Linux-security-module-archive
mailing list