From: Stephen Smalley <sds@tycho.nsa.gov>
To: Oleg Nesterov <oleg@redhat.com>
Cc: James Morris <jmorris@namei.org>,
David Howells <dhowells@redhat.com>,
Eric Paris <eparis@parisplace.org>,
Roland McGrath <roland@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: Q: selinux_bprm_committed_creds() && signals/do_wait
Date: Wed, 29 Apr 2009 08:20:30 -0400 [thread overview]
Message-ID: <1241007630.18249.141.camel@localhost.localdomain> (raw)
In-Reply-To: <20090429065809.GA477@redhat.com>
On Wed, 2009-04-29 at 08:58 +0200, Oleg Nesterov wrote:
> On 04/29, James Morris wrote:
> >
> > On Wed, 29 Apr 2009, Oleg Nesterov wrote:
> >
> > > selinux_bprm_committed_creds:
> > >
> > > rc = avc_has_perm()
> > > if (rc) {
> > > flush_signals(current);
> > >
> > > This doesn't look right. If the task was SIGKILL'ed we must not proceed,
> > > the task should die. The fix is simple, we should check SIGNAL_GROUP_EXIT
> > > and do nothing in this case, the task will exit before return to user
> > > space. If SIGNAL_GROUP_EXIT is set, it is just wrong to drop SIGKILL and
> > > continue.
> >
> > I'm not quite sure what you're asking. This is a permission check to see
> > if the new task can inherit the signal state of the parent,
>
> we can flush the signal which was sent after we changed SID/cred and passed
> the new permission checks,
>
> > and if not,
> > the new task's signal state is flushed.
> >
> > Where does a consideration of SIGKILL arise?
>
> It is not possible to flush SIGKILL. Once SIGKILL (or another fatal signal)
> is queued, it sets SIGNAL_GROUP_EXIT which can't be and must not be cleared.
>
> But, there is no need to flush SIGKILL. The task will exit. If it was sent
> before we changed SID, we can pretend the task has died before exec().
>
> > > But, before fixing, I'd like to understand why we are doing
> > >
> > > flush_signal_handlers(current, 1);
> > > sigemptyset(¤t->blocked);
> > >
> > > later. Could someone explain ? This looks unneeded.
> >
> > This is part of clearing all the signal state in the child.
>
> This doesn't explain why we are doing this ;)
>
> Why do we need to s/IGN/DFL/ and why do we clear ->blocked ? How this can
> help from the security pov?
We don't want the caller to be able to arrange conditions that prevent
correct handling of signals (e.g. SIGHUP) by the callee. That was
motivated by a specific attack against newrole, but was a general issue
for any program that runs in a more trusted domain than its caller.
As I recall, I based the logic in part on existing logic in
call_usermodehelper().
> In fact this looks a bit wrong. The only way to ensure we can't lose the
> signal during exec() is to block it beforehand, then install the handler
> after exec(). s/IGN/DFL/ doesn't look good too.
>
> But, if we really need this for security (selinux is a black magic to me),
> then the above doesn't matter. Please help to understand.
>
> Oleg.
--
Stephen Smalley
National Security Agency
next prev parent reply other threads:[~2009-04-29 12:27 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-28 22:30 Q: selinux_bprm_committed_creds() && signals/do_wait Oleg Nesterov
2009-04-28 23:33 ` Oleg Nesterov
2009-04-29 16:01 ` [PATCH] do_wait: do take security_task_wait() into account Oleg Nesterov
2009-04-30 20:31 ` Roland McGrath
2009-04-30 22:51 ` James Morris
2009-05-06 11:46 ` Stephen Smalley
2009-04-29 0:29 ` Q: selinux_bprm_committed_creds() && signals/do_wait James Morris
2009-04-29 6:58 ` Oleg Nesterov
2009-04-29 12:20 ` Stephen Smalley [this message]
2009-04-29 12:56 ` Oleg Nesterov
2009-04-29 13:16 ` Stephen Smalley
2009-04-29 13:42 ` Oleg Nesterov
2009-04-29 13:43 ` Stephen Smalley
2009-04-29 14:47 ` Alan Cox
2009-04-29 15:39 ` Stephen Smalley
2009-04-29 10:02 ` David Howells
2009-04-29 10:25 ` Oleg Nesterov
2009-04-29 11:17 ` David Howells
2009-04-29 11:55 ` Oleg Nesterov
2009-04-29 12:42 ` David Howells
2009-04-29 12:45 ` David Howells
2009-04-29 13:28 ` Oleg Nesterov
2009-04-30 0:37 ` James Morris
2009-04-29 13:18 ` Stephen Smalley
2009-04-29 13:30 ` Oleg Nesterov
2009-04-29 14:02 ` ptrace: selinux_bprm_committed_creds: simplify __wake_up_parent() code and s/parent/real_parent/ Oleg Nesterov
2009-04-29 14:08 ` Oleg Nesterov
2009-04-30 22:44 ` Roland McGrath
2009-05-03 20:10 ` Oleg Nesterov
2009-05-04 17:38 ` Roland McGrath
2009-04-30 0:38 ` James Morris
2009-04-30 22:38 ` Roland McGrath
2009-04-29 14:48 ` Q: selinux_bprm_committed_creds() && signals/do_wait Alan Cox
2009-05-01 0:02 ` Roland McGrath
2009-05-03 20:21 ` Oleg Nesterov
2009-05-04 17:34 ` Roland McGrath
2009-05-01 0:44 ` David Howells
2009-05-01 0:50 ` Roland McGrath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1241007630.18249.141.camel@localhost.localdomain \
--to=sds@tycho.nsa.gov \
--cc=dhowells@redhat.com \
--cc=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=roland@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.