Re: [PATCH] signals: check_kill_permission: check session under tasklist_lock

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Atsushi Tsuji <a-tsuji@bk.jp.nec.com>
To: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Roland McGrath <roland@redhat.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Davide Libenzi <davidel@xmailserver.org>,
	Ingo Molnar <mingo@elte.hu>, Jiri Kosina <jkosina@suse.cz>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Pavel Emelyanov <xemul@openvz.org>,
	linux-kernel@vger.kernel.org, Serge Hallyn <serge@hallyn.com>
Subject: Re: [PATCH] signals: check_kill_permission: check session under tasklist_lock
Date: Wed, 19 Mar 2008 11:19:50 +0900	[thread overview]
Message-ID: <47E07846.9050707@bk.jp.nec.com> (raw)
In-Reply-To: <20080318144431.GA3384@tv-sign.ru>

Oleg Nesterov wrote:
> (on top of signals-cleanup-security_task_kill-usage-implementation.patch)
> 
> This wasn't documented, but as Atsushi Tsuji <a-tsuji@bk.jp.nec.com> pointed
> out check_kill_permission() needs tasklist_lock for task_session_nr().
> I missed this fact when removed tasklist from the callers.
> 
> Change check_kill_permission() to take tasklist_lock for the SIGCONT case.
> Re-order security checks so that we take tasklist_lock only if/when it is
> actually needed. This is a minimal fix for now, tasklist will be removed
> later.

Thanks, I confirmed the problem is fixed by this patch.

> 
> Also change the code to use task_session() instead of task_session_nr().
> 
> Also, remove the SIGCONT check from cap_task_kill(), it is bogus (and the
> whole function is bogus. Serge, Eric, why it is still alive?).
> 
> Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>

Acked-by: Atsushi Tsuji <a-tsuji@bk.jp.nec.com>

> 
> --- 25/kernel/signal.c~CKP_TAKE_TASKLIST	2008-03-18 14:47:00.000000000 +0300
> +++ 25/kernel/signal.c	2008-03-18 17:25:19.000000000 +0300
> @@ -533,6 +533,7 @@ static int rm_from_queue(unsigned long m
>  static int check_kill_permission(int sig, struct siginfo *info,
>  				 struct task_struct *t)
>  {
> +	struct pid *sid;
>  	int error;
>  
>  	if (!valid_signal(sig))
> @@ -545,11 +546,24 @@ static int check_kill_permission(int sig
>  	if (error)
>  		return error;
>  
> -	if (((sig != SIGCONT) || (task_session_nr(current) != task_session_nr(t)))
> -	    && (current->euid ^ t->suid) && (current->euid ^ t->uid)
> -	    && (current->uid ^ t->suid) && (current->uid ^ t->uid)
> -	    && !capable(CAP_KILL))
> -		return -EPERM;
> +	if ((current->euid ^ t->suid) && (current->euid ^ t->uid) &&
> +	    (current->uid  ^ t->suid) && (current->uid  ^ t->uid) &&
> +	    !capable(CAP_KILL)) {
> +		switch (sig) {
> +		case SIGCONT:
> +			read_lock(&tasklist_lock);
> +			sid = task_session(t);
> +			read_unlock(&tasklist_lock);
> +			/*
> +			 * We don't return the error if sid == NULL. The
> +			 * task was unhashed, the caller must notice this.
> +			 */
> +			if (!sid || sid == task_session(current))
> +				break;
> +		default:
> +			return -EPERM;
> +		}
> +	}
>  
>  	return security_task_kill(t, info, sig, 0);
>  }
> --- 25/security/commoncap.c~CKP_TAKE_TASKLIST	2008-03-18 17:07:02.000000000 +0300
> +++ 25/security/commoncap.c	2008-03-18 17:21:10.000000000 +0300
> @@ -552,10 +552,6 @@ int cap_task_kill(struct task_struct *p,
>  	if (p->uid == current->uid)
>  		return 0;
>  
> -	/* sigcont is permitted within same session */
> -	if (sig == SIGCONT && (task_session_nr(current) == task_session_nr(p)))
> -		return 0;
> -
>  	if (secid)
>  		/*
>  		 * Signal sent as a particular user.

     prev parent reply	other threads:[~2008-03-19 21:50 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-03-04 18:57 [RFC,PATCH 2/2] kill_pid_info: don't take now unneeded tasklist_lock Oleg Nesterov
2008-03-06 10:56 ` Roland McGrath
2008-03-17 11:30 ` Atsushi Tsuji
2008-03-17 17:01   ` Oleg Nesterov
2008-03-18 14:44     ` [PATCH] signals: check_kill_permission: check session under tasklist_lock Oleg Nesterov
2008-03-18 20:03       ` serge
2008-03-18 20:17         ` Oleg Nesterov
2008-03-18 23:14           ` serge
2008-03-19  2:19       ` Atsushi Tsuji [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47E07846.9050707@bk.jp.nec.com \
    --to=a-tsuji@bk.jp.nec.com \
    --cc=akpm@linux-foundation.org \
    --cc=davidel@xmailserver.org \
    --cc=ebiederm@xmission.com \
    --cc=jkosina@suse.cz \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=oleg@tv-sign.ru \
    --cc=roland@redhat.com \
    --cc=serge@hallyn.com \
    --cc=torvalds@linux-foundation.org \
    --cc=xemul@openvz.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.