Linux-Security-Module Archive on lore.kernel.org
 help / Atom feed
* Security modules and sending signals within the same process
@ 2018-11-30 15:14 Florian Weimer
  2018-11-30 16:02 ` Stephen Smalley
  2018-11-30 17:54 ` Casey Schaufler
  0 siblings, 2 replies; 6+ messages in thread
From: Florian Weimer @ 2018-11-30 15:14 UTC (permalink / raw)
  To: apparmor, linux-security-module, selinux, linux-api
  Cc: H. Peter Anvin, Arnd Bergmann

Is it guaranteed that tasks in the same thread group can always send
signals to each other, irrespective of their respective credentials
structs?

It's not clear to me whether this is always possible based on the
security_task_kill implementations I've examined.

I want to support per-thread setresuid/setresgid, but we also use
signals for inter-thread communication.  This is mainly for thread
cancellation; the setxgid stuff isn't needed for threads with private
credentials.  I wonder if I need to disable cancellation for threads
with such credentials.

Thanks,
Florian

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Security modules and sending signals within the same process
  2018-11-30 15:14 Security modules and sending signals within the same process Florian Weimer
@ 2018-11-30 16:02 ` Stephen Smalley
  2018-12-11 10:42   ` Florian Weimer
  2018-11-30 17:54 ` Casey Schaufler
  1 sibling, 1 reply; 6+ messages in thread
From: Stephen Smalley @ 2018-11-30 16:02 UTC (permalink / raw)
  To: Florian Weimer, apparmor, linux-security-module, selinux, linux-api
  Cc: Arnd Bergmann, H. Peter Anvin

On 11/30/18 10:14 AM, Florian Weimer wrote:
> Is it guaranteed that tasks in the same thread group can always send
> signals to each other, irrespective of their respective credentials
> structs?
> 
> It's not clear to me whether this is always possible based on the
> security_task_kill implementations I've examined.
> 
> I want to support per-thread setresuid/setresgid, but we also use
> signals for inter-thread communication.  This is mainly for thread
> cancellation; the setxgid stuff isn't needed for threads with private
> credentials.  I wonder if I need to disable cancellation for threads
> with such credentials.

(fixed selinux list address, which moved to vger)

Looks like commit 065add3941bd ("signals: check_kill_permission(): don't 
check creds if same_thread_group()") skipped the uid-based checks if the 
sender and target were in the same thread group, but not the security 
hook call.  One could argue that the security hook call ought to be 
skipped in that case as well using the same rationale given in that 
commit.  Nothing appears to guarantee the property you state above for 
security_task_kill implementations, although none of the in-tree users 
are based on uids or gids so setresuid/setresgid shouldn't affect them.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Security modules and sending signals within the same process
  2018-11-30 15:14 Security modules and sending signals within the same process Florian Weimer
  2018-11-30 16:02 ` Stephen Smalley
@ 2018-11-30 17:54 ` Casey Schaufler
  2018-11-30 18:00   ` Florian Weimer
  2018-11-30 23:38   ` [apparmor] " John Johansen
  1 sibling, 2 replies; 6+ messages in thread
From: Casey Schaufler @ 2018-11-30 17:54 UTC (permalink / raw)
  To: Florian Weimer, apparmor, linux-security-module, selinux, linux-api
  Cc: H. Peter Anvin, Arnd Bergmann

On 11/30/2018 7:14 AM, Florian Weimer wrote:
> Is it guaranteed that tasks in the same thread group can always send
> signals to each other, irrespective of their respective credentials
> structs?

No. An LSM may chose to disallow this based on just about any
criteria it desires.

> It's not clear to me whether this is always possible based on the
> security_task_kill implementations I've examined.

SELinux, Smack and AppArmor make their decisions based on
the task_struct credential, so if it's possible to change
the LSM attributes at the task granularity, it's possible
to have a process that can't always talk to itself.

> I want to support per-thread setresuid/setresgid,

That's pretty dangerous in its own right. Effectively
the process containing the threads has multiple UIDs.
That complicates the DAC model significantly.

> but we also use
> signals for inter-thread communication.

It's unfortunate that no one has seriously proposed
mode bits on processes for signal delivery. The UID
matching policy is inconvenient in a lot of cases.
Hmmm...

> This is mainly for thread
> cancellation; the setxgid stuff isn't needed for threads with private
> credentials.  I wonder if I need to disable cancellation for threads
> with such credentials.
>
> Thanks,
> Florian
>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Security modules and sending signals within the same process
  2018-11-30 17:54 ` Casey Schaufler
@ 2018-11-30 18:00   ` Florian Weimer
  2018-11-30 23:38   ` [apparmor] " John Johansen
  1 sibling, 0 replies; 6+ messages in thread
From: Florian Weimer @ 2018-11-30 18:00 UTC (permalink / raw)
  To: Casey Schaufler
  Cc: apparmor, linux-security-module, selinux, linux-api,
	H. Peter Anvin, Arnd Bergmann

* Casey Schaufler:

> On 11/30/2018 7:14 AM, Florian Weimer wrote:
>> Is it guaranteed that tasks in the same thread group can always send
>> signals to each other, irrespective of their respective credentials
>> structs?
>
> No. An LSM may chose to disallow this based on just about any
> criteria it desires.

Hmm.

>> It's not clear to me whether this is always possible based on the
>> security_task_kill implementations I've examined.
>
> SELinux, Smack and AppArmor make their decisions based on
> the task_struct credential, so if it's possible to change
> the LSM attributes at the task granularity, it's possible
> to have a process that can't always talk to itself.

Yes, we already have this today for LSM attributes.  We only paper over
this for the UIDs/GIDs, using a really awkward mechanism.  Maybe we will
get rid of that one day, when the kernel supports a proper per-process
attribute, but I don't count on it.

>> I want to support per-thread setresuid/setresgid,
>
> That's pretty dangerous in its own right. Effectively
> the process containing the threads has multiple UIDs.
> That complicates the DAC model significantly.

Sure.  But I think it's better to do this explicitly in glibc, rather
than file server authors calling the system calls directly.  And it only
exposes what the kernel does anyway.

Thanks,
Florian

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [apparmor] Security modules and sending signals within the same process
  2018-11-30 17:54 ` Casey Schaufler
  2018-11-30 18:00   ` Florian Weimer
@ 2018-11-30 23:38   ` " John Johansen
  1 sibling, 0 replies; 6+ messages in thread
From: John Johansen @ 2018-11-30 23:38 UTC (permalink / raw)
  To: Casey Schaufler, Florian Weimer, apparmor, linux-security-module,
	selinux, linux-api
  Cc: Arnd Bergmann, H. Peter Anvin

On 11/30/18 9:54 AM, Casey Schaufler wrote:
> On 11/30/2018 7:14 AM, Florian Weimer wrote:
>> Is it guaranteed that tasks in the same thread group can always send
>> signals to each other, irrespective of their respective credentials
>> structs?
> 
> No. An LSM may chose to disallow this based on just about any
> criteria it desires.
> 

And apparmor is in fact doing this a few limited situations, userspace
has to request the profile change via an api, and regular policy
enforcement based on credentials mediates the signals. Its not
something we recommend but it has been used.



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Security modules and sending signals within the same process
  2018-11-30 16:02 ` Stephen Smalley
@ 2018-12-11 10:42   ` Florian Weimer
  0 siblings, 0 replies; 6+ messages in thread
From: Florian Weimer @ 2018-12-11 10:42 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: apparmor, linux-security-module, selinux, linux-api,
	Arnd Bergmann, H. Peter Anvin

* Stephen Smalley:

> Looks like commit 065add3941bd ("signals: check_kill_permission():
> don't check creds if same_thread_group()") skipped the uid-based
> checks if the sender and target were in the same thread group, but not
> the security hook call.  One could argue that the security hook call
> ought to be skipped in that case as well using the same rationale
> given in that commit.  Nothing appears to guarantee the property you
> state above for security_task_kill implementations, although none of
> the in-tree users are based on uids or gids so setresuid/setresgid
> shouldn't affect them.

Okay, thanks, so it looks like I don't have to do anything special to
support thread cancellation.

Florian

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-30 15:14 Security modules and sending signals within the same process Florian Weimer
2018-11-30 16:02 ` Stephen Smalley
2018-12-11 10:42   ` Florian Weimer
2018-11-30 17:54 ` Casey Schaufler
2018-11-30 18:00   ` Florian Weimer
2018-11-30 23:38   ` [apparmor] " John Johansen

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable: git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org linux-security-module@archiver.kernel.org
	public-inbox-index linux-security-module


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/ public-inbox