* Security modules and sending signals within the same process
@ 2018-11-30 15:14 Florian Weimer
2018-11-30 16:02 ` Stephen Smalley
2018-11-30 17:54 ` Casey Schaufler
0 siblings, 2 replies; 6+ messages in thread
From: Florian Weimer @ 2018-11-30 15:14 UTC (permalink / raw)
To: apparmor, linux-security-module, selinux, linux-api
Cc: H. Peter Anvin, Arnd Bergmann
Is it guaranteed that tasks in the same thread group can always send
signals to each other, irrespective of their respective credentials
structs?
It's not clear to me whether this is always possible based on the
security_task_kill implementations I've examined.
I want to support per-thread setresuid/setresgid, but we also use
signals for inter-thread communication. This is mainly for thread
cancellation; the setxgid stuff isn't needed for threads with private
credentials. I wonder if I need to disable cancellation for threads
with such credentials.
Thanks,
Florian
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Security modules and sending signals within the same process
2018-11-30 15:14 Security modules and sending signals within the same process Florian Weimer
@ 2018-11-30 16:02 ` Stephen Smalley
2018-12-11 10:42 ` Florian Weimer
2018-11-30 17:54 ` Casey Schaufler
1 sibling, 1 reply; 6+ messages in thread
From: Stephen Smalley @ 2018-11-30 16:02 UTC (permalink / raw)
To: Florian Weimer, apparmor, linux-security-module, selinux, linux-api
Cc: Arnd Bergmann, H. Peter Anvin
On 11/30/18 10:14 AM, Florian Weimer wrote:
> Is it guaranteed that tasks in the same thread group can always send
> signals to each other, irrespective of their respective credentials
> structs?
>
> It's not clear to me whether this is always possible based on the
> security_task_kill implementations I've examined.
>
> I want to support per-thread setresuid/setresgid, but we also use
> signals for inter-thread communication. This is mainly for thread
> cancellation; the setxgid stuff isn't needed for threads with private
> credentials. I wonder if I need to disable cancellation for threads
> with such credentials.
(fixed selinux list address, which moved to vger)
Looks like commit 065add3941bd ("signals: check_kill_permission(): don't
check creds if same_thread_group()") skipped the uid-based checks if the
sender and target were in the same thread group, but not the security
hook call. One could argue that the security hook call ought to be
skipped in that case as well using the same rationale given in that
commit. Nothing appears to guarantee the property you state above for
security_task_kill implementations, although none of the in-tree users
are based on uids or gids so setresuid/setresgid shouldn't affect them.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Security modules and sending signals within the same process
2018-11-30 16:02 ` Stephen Smalley
@ 2018-12-11 10:42 ` Florian Weimer
0 siblings, 0 replies; 6+ messages in thread
From: Florian Weimer @ 2018-12-11 10:42 UTC (permalink / raw)
To: Stephen Smalley
Cc: apparmor, linux-security-module, selinux, linux-api,
Arnd Bergmann, H. Peter Anvin
* Stephen Smalley:
> Looks like commit 065add3941bd ("signals: check_kill_permission():
> don't check creds if same_thread_group()") skipped the uid-based
> checks if the sender and target were in the same thread group, but not
> the security hook call. One could argue that the security hook call
> ought to be skipped in that case as well using the same rationale
> given in that commit. Nothing appears to guarantee the property you
> state above for security_task_kill implementations, although none of
> the in-tree users are based on uids or gids so setresuid/setresgid
> shouldn't affect them.
Okay, thanks, so it looks like I don't have to do anything special to
support thread cancellation.
Florian
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Security modules and sending signals within the same process
2018-11-30 15:14 Security modules and sending signals within the same process Florian Weimer
2018-11-30 16:02 ` Stephen Smalley
@ 2018-11-30 17:54 ` Casey Schaufler
2018-11-30 18:00 ` Florian Weimer
2018-11-30 23:38 ` [apparmor] " John Johansen
1 sibling, 2 replies; 6+ messages in thread
From: Casey Schaufler @ 2018-11-30 17:54 UTC (permalink / raw)
To: Florian Weimer, apparmor, linux-security-module, selinux, linux-api
Cc: H. Peter Anvin, Arnd Bergmann
On 11/30/2018 7:14 AM, Florian Weimer wrote:
> Is it guaranteed that tasks in the same thread group can always send
> signals to each other, irrespective of their respective credentials
> structs?
No. An LSM may chose to disallow this based on just about any
criteria it desires.
> It's not clear to me whether this is always possible based on the
> security_task_kill implementations I've examined.
SELinux, Smack and AppArmor make their decisions based on
the task_struct credential, so if it's possible to change
the LSM attributes at the task granularity, it's possible
to have a process that can't always talk to itself.
> I want to support per-thread setresuid/setresgid,
That's pretty dangerous in its own right. Effectively
the process containing the threads has multiple UIDs.
That complicates the DAC model significantly.
> but we also use
> signals for inter-thread communication.
It's unfortunate that no one has seriously proposed
mode bits on processes for signal delivery. The UID
matching policy is inconvenient in a lot of cases.
Hmmm...
> This is mainly for thread
> cancellation; the setxgid stuff isn't needed for threads with private
> credentials. I wonder if I need to disable cancellation for threads
> with such credentials.
>
> Thanks,
> Florian
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Security modules and sending signals within the same process
2018-11-30 17:54 ` Casey Schaufler
@ 2018-11-30 18:00 ` Florian Weimer
2018-11-30 23:38 ` [apparmor] " John Johansen
1 sibling, 0 replies; 6+ messages in thread
From: Florian Weimer @ 2018-11-30 18:00 UTC (permalink / raw)
To: Casey Schaufler
Cc: apparmor, linux-security-module, selinux, linux-api,
H. Peter Anvin, Arnd Bergmann
* Casey Schaufler:
> On 11/30/2018 7:14 AM, Florian Weimer wrote:
>> Is it guaranteed that tasks in the same thread group can always send
>> signals to each other, irrespective of their respective credentials
>> structs?
>
> No. An LSM may chose to disallow this based on just about any
> criteria it desires.
Hmm.
>> It's not clear to me whether this is always possible based on the
>> security_task_kill implementations I've examined.
>
> SELinux, Smack and AppArmor make their decisions based on
> the task_struct credential, so if it's possible to change
> the LSM attributes at the task granularity, it's possible
> to have a process that can't always talk to itself.
Yes, we already have this today for LSM attributes. We only paper over
this for the UIDs/GIDs, using a really awkward mechanism. Maybe we will
get rid of that one day, when the kernel supports a proper per-process
attribute, but I don't count on it.
>> I want to support per-thread setresuid/setresgid,
>
> That's pretty dangerous in its own right. Effectively
> the process containing the threads has multiple UIDs.
> That complicates the DAC model significantly.
Sure. But I think it's better to do this explicitly in glibc, rather
than file server authors calling the system calls directly. And it only
exposes what the kernel does anyway.
Thanks,
Florian
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [apparmor] Security modules and sending signals within the same process
2018-11-30 17:54 ` Casey Schaufler
2018-11-30 18:00 ` Florian Weimer
@ 2018-11-30 23:38 ` John Johansen
1 sibling, 0 replies; 6+ messages in thread
From: John Johansen @ 2018-11-30 23:38 UTC (permalink / raw)
To: Casey Schaufler, Florian Weimer, apparmor, linux-security-module,
selinux, linux-api
Cc: Arnd Bergmann, H. Peter Anvin
On 11/30/18 9:54 AM, Casey Schaufler wrote:
> On 11/30/2018 7:14 AM, Florian Weimer wrote:
>> Is it guaranteed that tasks in the same thread group can always send
>> signals to each other, irrespective of their respective credentials
>> structs?
>
> No. An LSM may chose to disallow this based on just about any
> criteria it desires.
>
And apparmor is in fact doing this a few limited situations, userspace
has to request the profile change via an api, and regular policy
enforcement based on credentials mediates the signals. Its not
something we recommend but it has been used.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-12-11 10:42 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-30 15:14 Security modules and sending signals within the same process Florian Weimer
2018-11-30 16:02 ` Stephen Smalley
2018-12-11 10:42 ` Florian Weimer
2018-11-30 17:54 ` Casey Schaufler
2018-11-30 18:00 ` Florian Weimer
2018-11-30 23:38 ` [apparmor] " John Johansen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).