[PATCH] file capabilities: allow sigcont within session (v2)

[PATCH] file capabilities: allow sigcont within session (v2)

[Serge E. Hallyn]

>From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001
From: Serge E. Hallyn <serue@us.ibm.com>
Date: Wed, 31 Oct 2007 11:22:04 -0500
Subject: [PATCH 1/1] file capabilities: allow sigcont within session (v2)

(This is a proposed fix to http://bugzilla.kernel.org/show_bug.cgi?id=9247)

Allow sigcont to be sent to a process with greater capabilities
if it is in the same session.  Otherwise, a shell from which
I've started a root shell and done 'suspend' can't be restarted
by the parent shell.

Also don't do file-capabilities signaling checks when uids for
the processes don't match, since the standard check_kill_permission
will have done those checks.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
---
 security/commoncap.c |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index bf67871..4de6857 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -526,6 +526,15 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
 	if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
 		return 0;
 
+	/* if tasks have same uid, then check_kill_permission did check */
+	if (current->uid == p->uid || current->euid == p->uid ||
+		current->uid == p->suid || current->euid == p->suid)
+		return 0;
+
+	/* sigcont is permitted within same session */
+	if (sig == SIGCONT && (task_session_nr(current)==task_session_nr(p)))
+		return 0;
+
 	if (secid)
 		/*
 		 * Signal sent as a particular user.
-- 
1.5.1.1.GIT

Re: [PATCH] file capabilities: allow sigcont within session (v2)

[Andrew Morgan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ackd.

Cheers

Andrew

Serge E. Hallyn wrote:
>>From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001
> From: Serge E. Hallyn <serue@us.ibm.com>
> Date: Wed, 31 Oct 2007 11:22:04 -0500
> Subject: [PATCH 1/1] file capabilities: allow sigcont within session (v2)
> 
> (This is a proposed fix to http://bugzilla.kernel.org/show_bug.cgi?id=9247)
> 
> Allow sigcont to be sent to a process with greater capabilities
> if it is in the same session.  Otherwise, a shell from which
> I've started a root shell and done 'suspend' can't be restarted
> by the parent shell.
> 
> Also don't do file-capabilities signaling checks when uids for
> the processes don't match, since the standard check_kill_permission
> will have done those checks.
> 
> Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
> ---
>  security/commoncap.c |    9 +++++++++
>  1 files changed, 9 insertions(+), 0 deletions(-)
> 
> diff --git a/security/commoncap.c b/security/commoncap.c
> index bf67871..4de6857 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -526,6 +526,15 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
>  	if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
>  		return 0;
>  
> +	/* if tasks have same uid, then check_kill_permission did check */
> +	if (current->uid == p->uid || current->euid == p->uid ||
> +		current->uid == p->suid || current->euid == p->suid)
> +		return 0;
> +
> +	/* sigcont is permitted within same session */
> +	if (sig == SIGCONT && (task_session_nr(current)==task_session_nr(p)))
> +		return 0;
> +
>  	if (secid)
>  		/*
>  		 * Signal sent as a particular user.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHKSuSmwytjiwfWMwRAkHXAJ4lr07yW936ychUGNxqQSOanZTecwCePYVc
d8uP0I3AEDjTpG8s7Nojo7Y=
=8777
-----END PGP SIGNATURE-----

Re: [PATCH] file capabilities: allow sigcont within session (v2)

[Andrew Morgan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[kernel/signal.c:check_kill_permission() could probably benefit from
getting more consistently indented!]

I'm not sure I can grok your comment. Did you mean:

  /* as per, check_kill_permission(), permit if tasks have same uid */

As to content:

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>

Cheers

Andrew

Serge E. Hallyn wrote:
>>From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001
> From: Serge E. Hallyn <serue@us.ibm.com>
> Date: Wed, 31 Oct 2007 11:22:04 -0500
> Subject: [PATCH 1/1] file capabilities: allow sigcont within session (v2)
> 
> (This is a proposed fix to http://bugzilla.kernel.org/show_bug.cgi?id=9247)
> 
> Allow sigcont to be sent to a process with greater capabilities
> if it is in the same session.  Otherwise, a shell from which
> I've started a root shell and done 'suspend' can't be restarted
> by the parent shell.
> 
> Also don't do file-capabilities signaling checks when uids for
> the processes don't match, since the standard check_kill_permission
> will have done those checks.
> 
> Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
> ---
>  security/commoncap.c |    9 +++++++++
>  1 files changed, 9 insertions(+), 0 deletions(-)
> 
> diff --git a/security/commoncap.c b/security/commoncap.c
> index bf67871..4de6857 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -526,6 +526,15 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
>  	if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
>  		return 0;
>  
> +	/* if tasks have same uid, then check_kill_permission did check */
> +	if (current->uid == p->uid || current->euid == p->uid ||
> +		current->uid == p->suid || current->euid == p->suid)
> +		return 0;
> +
> +	/* sigcont is permitted within same session */
> +	if (sig == SIGCONT && (task_session_nr(current)==task_session_nr(p)))
> +		return 0;
> +
>  	if (secid)
>  		/*
>  		 * Signal sent as a particular user.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFHKVpRQheEq9QabfIRAnp9AKCZHb526eioQWKycH7V7LfcHP7VvQCdG0AJ
QTVOLvQ2hip+j2qZ1mb2Y6w=
=45et
-----END PGP SIGNATURE-----

Re: [PATCH] file capabilities: allow sigcont within session (v2)

[Stephen Smalley]

On Wed, 2007-10-31 at 18:49 -0500, Serge E. Hallyn wrote:
> >From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001
> From: Serge E. Hallyn <serue@us.ibm.com>
> Date: Wed, 31 Oct 2007 11:22:04 -0500
> Subject: [PATCH 1/1] file capabilities: allow sigcont within session (v2)
> 
> (This is a proposed fix to http://bugzilla.kernel.org/show_bug.cgi?id=9247)
> 
> Allow sigcont to be sent to a process with greater capabilities
> if it is in the same session.  Otherwise, a shell from which
> I've started a root shell and done 'suspend' can't be restarted
> by the parent shell.
> 
> Also don't do file-capabilities signaling checks when uids for
> the processes don't match, since the standard check_kill_permission
> will have done those checks.

Description doesn't match the code.  And in the non-matching uid case,
check_kill_permission typically returns an error before it reaches
cap_task_kill (modulo the special cases).

> 
> Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
> ---
>  security/commoncap.c |    9 +++++++++
>  1 files changed, 9 insertions(+), 0 deletions(-)
> 
> diff --git a/security/commoncap.c b/security/commoncap.c
> index bf67871..4de6857 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -526,6 +526,15 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
>  	if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
>  		return 0;
>  
> +	/* if tasks have same uid, then check_kill_permission did check */
> +	if (current->uid == p->uid || current->euid == p->uid ||
> +		current->uid == p->suid || current->euid == p->suid)
> +		return 0;

I'm confused - if you are allowing all signals within the same uid, then
what was the point of having a cap_task_kill at all?  cap_task_kill was
supposed to prevent a process with lesser capabilities from killing a
process with more capabilities, even if they have the same uid, so that
when you have a program marked with file capabilities instead of a
setuid-0 program, that program can't be sent arbitrary signals by the
caller.

> +
> +	/* sigcont is permitted within same session */
> +	if (sig == SIGCONT && (task_session_nr(current)==task_session_nr(p)))
> +		return 0;
> +
>  	if (secid)
>  		/*
>  		 * Signal sent as a particular user.
-- 
Stephen Smalley
National Security Agency

Re: [PATCH] file capabilities: allow sigcont within session (v2)

[Serge E. Hallyn]

Quoting Stephen Smalley (sds@epoch.ncsc.mil):
> On Wed, 2007-10-31 at 18:49 -0500, Serge E. Hallyn wrote:
> > >From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001
> > From: Serge E. Hallyn <serue@us.ibm.com>
> > Date: Wed, 31 Oct 2007 11:22:04 -0500
> > Subject: [PATCH 1/1] file capabilities: allow sigcont within session (v2)
> > 
> > (This is a proposed fix to http://bugzilla.kernel.org/show_bug.cgi?id=9247)
> > 
> > Allow sigcont to be sent to a process with greater capabilities
> > if it is in the same session.  Otherwise, a shell from which
> > I've started a root shell and done 'suspend' can't be restarted
> > by the parent shell.
> > 
> > Also don't do file-capabilities signaling checks when uids for
> > the processes don't match, since the standard check_kill_permission
> > will have done those checks.
> 
> Description doesn't match the code.

Egads.  I knew I should've just kept that part out of it for the first
patch...

New patch on top of previous one is appended.

Thanks.

> And in the non-matching uid case,
> check_kill_permission typically returns an error before it reaches
> cap_task_kill (modulo the special cases).

Typically, but when it doesn't, then the file capabilities shouldn't get
in the way of check_kill_permission() granting permission.  The file
capabilities 

> 
> > 
> > Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
> > ---
> >  security/commoncap.c |    9 +++++++++
> >  1 files changed, 9 insertions(+), 0 deletions(-)
> > 
> > diff --git a/security/commoncap.c b/security/commoncap.c
> > index bf67871..4de6857 100644
> > --- a/security/commoncap.c
> > +++ b/security/commoncap.c
> > @@ -526,6 +526,15 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
> >  	if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
> >  		return 0;
> >  
> > +	/* if tasks have same uid, then check_kill_permission did check */
> > +	if (current->uid == p->uid || current->euid == p->uid ||
> > +		current->uid == p->suid || current->euid == p->suid)
> > +		return 0;
> 
> I'm confused - if you are allowing all signals within the same uid, then

No I was confused.  I wanted to allow for tasks with different uids.

But in fact that's not safe anyway.  A binary can be setuid and owned by
a non-root user user1, have file capabilities, and be executed by user2.

(Anyway given how grossly my code missed my erroneous intentions, I need
to add some signal tests to my file capabilities tests - and get those
tests into LTP)

> what was the point of having a cap_task_kill at all?  cap_task_kill was
> supposed to prevent a process with lesser capabilities from killing a
> process with more capabilities, even if they have the same uid, so that
> when you have a program marked with file capabilities instead of a
> setuid-0 program, that program can't be sent arbitrary signals by the
> caller.
> 
> > +
> > +	/* sigcont is permitted within same session */
> > +	if (sig == SIGCONT && (task_session_nr(current)==task_session_nr(p)))
> > +		return 0;
> > +
> >  	if (secid)
> >  		/*
> >  		 * Signal sent as a particular user.
> -- 
> Stephen Smalley
> National Security Agency

Thanks, Stephen.

>From 98741f07ab1bc4a1fc2de7fedfb9023ea30bf988 Mon Sep 17 00:00:00 2001
From: Serge E. Hallyn <serue@us.ibm.com>
Date: Thu, 1 Nov 2007 08:20:12 -0500
Subject: [PATCH 1/1] file capabilities: remove the non-matching uid special case for kill

There I went again having one patch do two (related) things.

Remove the special check I had added to cap_task_kill() for
non-matching uids.  In fact it turns out the check wouldn't be
safe even if I'd coded it correctly.  A binary can be setuid
and owned by a non-root user user1, have file capabilities, and
be executed by user2.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
---
 security/commoncap.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index f04784a..302e8d0 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -526,11 +526,6 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
 	if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
 		return 0;
 
-	/* if tasks have same uid, then check_kill_permission did check */
-	if (current->uid == p->uid || current->euid == p->uid ||
-		current->uid == p->suid || current->euid == p->suid)
-		return 0;
-
 	/* sigcont is permitted within same session */
 	if (sig == SIGCONT && (task_session_nr(current) == task_session_nr(p)))
 		return 0;
-- 
1.5.1.1.GIT

Re: [PATCH] file capabilities: allow sigcont within session (v2)

[Theodore Tso]

On Thu, Nov 01, 2007 at 08:47:01AM -0500, Serge E. Hallyn wrote:
> Egads.  I knew I should've just kept that part out of it for the first
> patch...
> 
> New patch on top of previous one is appended.

I assume you'll just collapse the two patches together before you
submit them?  I've been distracted dealing with the ALPM suspend2ram
regression, which Jeff Garzik beat me to in bisecting, but I'll try
out your newer patch now...

						- Ted

Re: [PATCH] file capabilities: allow sigcont within session (v2)

[Theodore Tso]

On Thu, Nov 01, 2007 at 08:47:01AM -0500, Serge E. Hallyn wrote:
> > > >From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001
> > > From: Serge E. Hallyn <serue@us.ibm.com>
> > > Date: Wed, 31 Oct 2007 11:22:04 -0500
> > > Subject: [PATCH 1/1] file capabilities: allow sigcont within session (v2)

> New patch on top of previous one is appended.
> 
> From 98741f07ab1bc4a1fc2de7fedfb9023ea30bf988 Mon Sep 17 00:00:00 2001
> From: Serge E. Hallyn <serue@us.ibm.com>
> Date: Thu, 1 Nov 2007 08:20:12 -0500
> Subject: [PATCH 1/1] file capabilities: remove the non-matching uid special case for kill
> 

Tested-by: "Theodore Ts'o" <tytso@mit.edu>

Thanks, this fixes the issue I reported!

				- Ted

Re: [PATCH] file capabilities: allow sigcont within session (v2)

[Andrew Morgan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Serge E. Hallyn wrote:
> Quoting Stephen Smalley (sds@epoch.ncsc.mil):
>> On Wed, 2007-10-31 at 18:49 -0500, Serge E. Hallyn wrote:
[..]
>>> Also don't do file-capabilities signaling checks when uids for
>>> the processes don't match, since the standard check_kill_permission
>>> will have done those checks.
>> Description doesn't match the code.
> 
> Egads.  I knew I should've just kept that part out of it for the first
> patch...
> 
> New patch on top of previous one is appended.

Dang! I stared at the code a long time to see what you were doing...

And concluded that you had coded what you intended; allow processes that
share UIDs to kill one another - independent of capabilities. The fact
that this is the reverse of the words you used to introduce your patch,
I didn't notice.

I totally missed the fact that this was (unwanted) new functionality!!
Mea culpa for the bad review.

I certainly Sign off the revised patch.

Cheers

Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHLOicmwytjiwfWMwRAq5HAJ49eajMT4myf1oKfrab2oCw/o9HnwCgkYt2
RyIsmHVWmClsrxCz5s1HRJY=
=hGLO
-----END PGP SIGNATURE-----