>From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001
From: Serge E. Hallyn <[email protected]>
Date: Wed, 31 Oct 2007 11:22:04 -0500
Subject: [PATCH 1/1] file capabilities: allow sigcont within session (v2)
(This is a proposed fix to http://bugzilla.kernel.org/show_bug.cgi?id=9247)
Allow sigcont to be sent to a process with greater capabilities
if it is in the same session. Otherwise, a shell from which
I've started a root shell and done 'suspend' can't be restarted
by the parent shell.
Also don't do file-capabilities signaling checks when uids for
the processes don't match, since the standard check_kill_permission
will have done those checks.
Signed-off-by: Serge E. Hallyn <[email protected]>
---
security/commoncap.c | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/security/commoncap.c b/security/commoncap.c
index bf67871..4de6857 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -526,6 +526,15 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
return 0;
+ /* if tasks have same uid, then check_kill_permission did check */
+ if (current->uid == p->uid || current->euid == p->uid ||
+ current->uid == p->suid || current->euid == p->suid)
+ return 0;
+
+ /* sigcont is permitted within same session */
+ if (sig == SIGCONT && (task_session_nr(current)==task_session_nr(p)))
+ return 0;
+
if (secid)
/*
* Signal sent as a particular user.
--
1.5.1.1.GIT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ackd.
Cheers
Andrew
Serge E. Hallyn wrote:
>>From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001
> From: Serge E. Hallyn <[email protected]>
> Date: Wed, 31 Oct 2007 11:22:04 -0500
> Subject: [PATCH 1/1] file capabilities: allow sigcont within session (v2)
>
> (This is a proposed fix to http://bugzilla.kernel.org/show_bug.cgi?id=9247)
>
> Allow sigcont to be sent to a process with greater capabilities
> if it is in the same session. Otherwise, a shell from which
> I've started a root shell and done 'suspend' can't be restarted
> by the parent shell.
>
> Also don't do file-capabilities signaling checks when uids for
> the processes don't match, since the standard check_kill_permission
> will have done those checks.
>
> Signed-off-by: Serge E. Hallyn <[email protected]>
> ---
> security/commoncap.c | 9 +++++++++
> 1 files changed, 9 insertions(+), 0 deletions(-)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index bf67871..4de6857 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -526,6 +526,15 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
> if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
> return 0;
>
> + /* if tasks have same uid, then check_kill_permission did check */
> + if (current->uid == p->uid || current->euid == p->uid ||
> + current->uid == p->suid || current->euid == p->suid)
> + return 0;
> +
> + /* sigcont is permitted within same session */
> + if (sig == SIGCONT && (task_session_nr(current)==task_session_nr(p)))
> + return 0;
> +
> if (secid)
> /*
> * Signal sent as a particular user.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHKSuSmwytjiwfWMwRAkHXAJ4lr07yW936ychUGNxqQSOanZTecwCePYVc
d8uP0I3AEDjTpG8s7Nojo7Y=
=8777
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[kernel/signal.c:check_kill_permission() could probably benefit from
getting more consistently indented!]
I'm not sure I can grok your comment. Did you mean:
/* as per, check_kill_permission(), permit if tasks have same uid */
As to content:
Signed-off-by: Andrew G. Morgan <[email protected]>
Cheers
Andrew
Serge E. Hallyn wrote:
>>From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001
> From: Serge E. Hallyn <[email protected]>
> Date: Wed, 31 Oct 2007 11:22:04 -0500
> Subject: [PATCH 1/1] file capabilities: allow sigcont within session (v2)
>
> (This is a proposed fix to http://bugzilla.kernel.org/show_bug.cgi?id=9247)
>
> Allow sigcont to be sent to a process with greater capabilities
> if it is in the same session. Otherwise, a shell from which
> I've started a root shell and done 'suspend' can't be restarted
> by the parent shell.
>
> Also don't do file-capabilities signaling checks when uids for
> the processes don't match, since the standard check_kill_permission
> will have done those checks.
>
> Signed-off-by: Serge E. Hallyn <[email protected]>
> ---
> security/commoncap.c | 9 +++++++++
> 1 files changed, 9 insertions(+), 0 deletions(-)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index bf67871..4de6857 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -526,6 +526,15 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
> if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
> return 0;
>
> + /* if tasks have same uid, then check_kill_permission did check */
> + if (current->uid == p->uid || current->euid == p->uid ||
> + current->uid == p->suid || current->euid == p->suid)
> + return 0;
> +
> + /* sigcont is permitted within same session */
> + if (sig == SIGCONT && (task_session_nr(current)==task_session_nr(p)))
> + return 0;
> +
> if (secid)
> /*
> * Signal sent as a particular user.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFHKVpRQheEq9QabfIRAnp9AKCZHb526eioQWKycH7V7LfcHP7VvQCdG0AJ
QTVOLvQ2hip+j2qZ1mb2Y6w=
=45et
-----END PGP SIGNATURE-----
On Wed, 2007-10-31 at 18:49 -0500, Serge E. Hallyn wrote:
> >From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001
> From: Serge E. Hallyn <[email protected]>
> Date: Wed, 31 Oct 2007 11:22:04 -0500
> Subject: [PATCH 1/1] file capabilities: allow sigcont within session (v2)
>
> (This is a proposed fix to http://bugzilla.kernel.org/show_bug.cgi?id=9247)
>
> Allow sigcont to be sent to a process with greater capabilities
> if it is in the same session. Otherwise, a shell from which
> I've started a root shell and done 'suspend' can't be restarted
> by the parent shell.
>
> Also don't do file-capabilities signaling checks when uids for
> the processes don't match, since the standard check_kill_permission
> will have done those checks.
Description doesn't match the code. And in the non-matching uid case,
check_kill_permission typically returns an error before it reaches
cap_task_kill (modulo the special cases).
>
> Signed-off-by: Serge E. Hallyn <[email protected]>
> ---
> security/commoncap.c | 9 +++++++++
> 1 files changed, 9 insertions(+), 0 deletions(-)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index bf67871..4de6857 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -526,6 +526,15 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
> if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
> return 0;
>
> + /* if tasks have same uid, then check_kill_permission did check */
> + if (current->uid == p->uid || current->euid == p->uid ||
> + current->uid == p->suid || current->euid == p->suid)
> + return 0;
I'm confused - if you are allowing all signals within the same uid, then
what was the point of having a cap_task_kill at all? cap_task_kill was
supposed to prevent a process with lesser capabilities from killing a
process with more capabilities, even if they have the same uid, so that
when you have a program marked with file capabilities instead of a
setuid-0 program, that program can't be sent arbitrary signals by the
caller.
> +
> + /* sigcont is permitted within same session */
> + if (sig == SIGCONT && (task_session_nr(current)==task_session_nr(p)))
> + return 0;
> +
> if (secid)
> /*
> * Signal sent as a particular user.
--
Stephen Smalley
National Security Agency
Quoting Stephen Smalley ([email protected]):
> On Wed, 2007-10-31 at 18:49 -0500, Serge E. Hallyn wrote:
> > >From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001
> > From: Serge E. Hallyn <[email protected]>
> > Date: Wed, 31 Oct 2007 11:22:04 -0500
> > Subject: [PATCH 1/1] file capabilities: allow sigcont within session (v2)
> >
> > (This is a proposed fix to http://bugzilla.kernel.org/show_bug.cgi?id=9247)
> >
> > Allow sigcont to be sent to a process with greater capabilities
> > if it is in the same session. Otherwise, a shell from which
> > I've started a root shell and done 'suspend' can't be restarted
> > by the parent shell.
> >
> > Also don't do file-capabilities signaling checks when uids for
> > the processes don't match, since the standard check_kill_permission
> > will have done those checks.
>
> Description doesn't match the code.
Egads. I knew I should've just kept that part out of it for the first
patch...
New patch on top of previous one is appended.
Thanks.
> And in the non-matching uid case,
> check_kill_permission typically returns an error before it reaches
> cap_task_kill (modulo the special cases).
Typically, but when it doesn't, then the file capabilities shouldn't get
in the way of check_kill_permission() granting permission. The file
capabilities
>
> >
> > Signed-off-by: Serge E. Hallyn <[email protected]>
> > ---
> > security/commoncap.c | 9 +++++++++
> > 1 files changed, 9 insertions(+), 0 deletions(-)
> >
> > diff --git a/security/commoncap.c b/security/commoncap.c
> > index bf67871..4de6857 100644
> > --- a/security/commoncap.c
> > +++ b/security/commoncap.c
> > @@ -526,6 +526,15 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
> > if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
> > return 0;
> >
> > + /* if tasks have same uid, then check_kill_permission did check */
> > + if (current->uid == p->uid || current->euid == p->uid ||
> > + current->uid == p->suid || current->euid == p->suid)
> > + return 0;
>
> I'm confused - if you are allowing all signals within the same uid, then
No I was confused. I wanted to allow for tasks with different uids.
But in fact that's not safe anyway. A binary can be setuid and owned by
a non-root user user1, have file capabilities, and be executed by user2.
(Anyway given how grossly my code missed my erroneous intentions, I need
to add some signal tests to my file capabilities tests - and get those
tests into LTP)
> what was the point of having a cap_task_kill at all? cap_task_kill was
> supposed to prevent a process with lesser capabilities from killing a
> process with more capabilities, even if they have the same uid, so that
> when you have a program marked with file capabilities instead of a
> setuid-0 program, that program can't be sent arbitrary signals by the
> caller.
>
> > +
> > + /* sigcont is permitted within same session */
> > + if (sig == SIGCONT && (task_session_nr(current)==task_session_nr(p)))
> > + return 0;
> > +
> > if (secid)
> > /*
> > * Signal sent as a particular user.
> --
> Stephen Smalley
> National Security Agency
Thanks, Stephen.
>From 98741f07ab1bc4a1fc2de7fedfb9023ea30bf988 Mon Sep 17 00:00:00 2001
From: Serge E. Hallyn <[email protected]>
Date: Thu, 1 Nov 2007 08:20:12 -0500
Subject: [PATCH 1/1] file capabilities: remove the non-matching uid special case for kill
There I went again having one patch do two (related) things.
Remove the special check I had added to cap_task_kill() for
non-matching uids. In fact it turns out the check wouldn't be
safe even if I'd coded it correctly. A binary can be setuid
and owned by a non-root user user1, have file capabilities, and
be executed by user2.
Signed-off-by: Serge E. Hallyn <[email protected]>
---
security/commoncap.c | 5 -----
1 files changed, 0 insertions(+), 5 deletions(-)
diff --git a/security/commoncap.c b/security/commoncap.c
index f04784a..302e8d0 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -526,11 +526,6 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
return 0;
- /* if tasks have same uid, then check_kill_permission did check */
- if (current->uid == p->uid || current->euid == p->uid ||
- current->uid == p->suid || current->euid == p->suid)
- return 0;
-
/* sigcont is permitted within same session */
if (sig == SIGCONT && (task_session_nr(current) == task_session_nr(p)))
return 0;
--
1.5.1.1.GIT
On Thu, Nov 01, 2007 at 08:47:01AM -0500, Serge E. Hallyn wrote:
> Egads. I knew I should've just kept that part out of it for the first
> patch...
>
> New patch on top of previous one is appended.
I assume you'll just collapse the two patches together before you
submit them? I've been distracted dealing with the ALPM suspend2ram
regression, which Jeff Garzik beat me to in bisecting, but I'll try
out your newer patch now...
- Ted
On Thu, Nov 01, 2007 at 08:47:01AM -0500, Serge E. Hallyn wrote:
> > > >From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001
> > > From: Serge E. Hallyn <[email protected]>
> > > Date: Wed, 31 Oct 2007 11:22:04 -0500
> > > Subject: [PATCH 1/1] file capabilities: allow sigcont within session (v2)
> New patch on top of previous one is appended.
>
> From 98741f07ab1bc4a1fc2de7fedfb9023ea30bf988 Mon Sep 17 00:00:00 2001
> From: Serge E. Hallyn <[email protected]>
> Date: Thu, 1 Nov 2007 08:20:12 -0500
> Subject: [PATCH 1/1] file capabilities: remove the non-matching uid special case for kill
>
Tested-by: "Theodore Ts'o" <[email protected]>
Thanks, this fixes the issue I reported!
- Ted
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Serge E. Hallyn wrote:
> Quoting Stephen Smalley ([email protected]):
>> On Wed, 2007-10-31 at 18:49 -0500, Serge E. Hallyn wrote:
[..]
>>> Also don't do file-capabilities signaling checks when uids for
>>> the processes don't match, since the standard check_kill_permission
>>> will have done those checks.
>> Description doesn't match the code.
>
> Egads. I knew I should've just kept that part out of it for the first
> patch...
>
> New patch on top of previous one is appended.
Dang! I stared at the code a long time to see what you were doing...
And concluded that you had coded what you intended; allow processes that
share UIDs to kill one another - independent of capabilities. The fact
that this is the reverse of the words you used to introduce your patch,
I didn't notice.
I totally missed the fact that this was (unwanted) new functionality!!
Mea culpa for the bad review.
I certainly Sign off the revised patch.
Cheers
Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHLOicmwytjiwfWMwRAq5HAJ49eajMT4myf1oKfrab2oCw/o9HnwCgkYt2
RyIsmHVWmClsrxCz5s1HRJY=
=hGLO
-----END PGP SIGNATURE-----