Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp10805310imu; Thu, 6 Dec 2018 07:05:39 -0800 (PST) X-Google-Smtp-Source: AFSGD/U65ZBTmRrYnHrv+wuzoC7huRI0TEypxYIwf+mJT6LhYBVcuLesx2+6b+hzMOduoQyh3iHw X-Received: by 2002:a63:d252:: with SMTP id t18mr24636770pgi.133.1544108739113; Thu, 06 Dec 2018 07:05:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544108739; cv=none; d=google.com; s=arc-20160816; b=OUuK+fmW5QgyQB+qp075Iit2Dq5lj0LEbozGIE8CuL2Vca4VBayxx6GUQi34OLIBmZ TV/903uI50oG5hm2HvwqkGQhI8HSlhMdSxXPRFUvv6DZDcVSIDA8V6CUDDuWuMjSso05 fXerZQG4lnVZcLsZ+/qAJlnDRYu7zGYCt2qpKsX8PYiOTR72JiZs9vTLGtgF/Z8Ltfzz AdAIZ+KCzOx1l3TuN1VZItwyPvx6L8nTc4DD8Yzx7OXHwuTjHRDUOvJ5ah4crnT+xAIc dby/BGVmgb2pNCU8Cyu6zvWmkHzOoUwSImdTHBOWuympUa19b7dsgh6ros5DC2ZeVG7b maUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from; bh=v/MVqCHUYG5rtbQI/6XEmI4nHLcqenmFl1jryIhoarY=; b=UVS03Rr1H8HFNeHy+fHnOZ0bS7TSaGDIVH5Mn7/ymwSt+dZ4cbGTO1jaR8gMu+2ydq G8ZxBviqo2EBwm85uNWxyWal1FlaLzEr/iz0E/aOsct8SDCdBiq75eab9y74Dc72Vbsz +/+dPD2v+l5Tp4B4h0T9Rk4rUxMQGX2ZPaB5A98qFkqyTNecO9at0FKqmRJpL4hKPmuW YsgWAL6HWIVKpz32GVk8BveHe/suPnXhRYE2D+F2a3ITG+cze/IphAprsxRNE197WD0G 7kOE/Z7ZRMythKvdOlsRFrwkKWITnYXn4pf0CikMWYbSgav5tlc658zNUVQLi531nUUv /m8A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i18si445402pgl.414.2018.12.06.07.05.11; Thu, 06 Dec 2018 07:05:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726250AbeLFPCZ (ORCPT + 99 others); Thu, 6 Dec 2018 10:02:25 -0500 Received: from out03.mta.xmission.com ([166.70.13.233]:46570 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725946AbeLFPCY (ORCPT ); Thu, 6 Dec 2018 10:02:24 -0500 Received: from in02.mta.xmission.com ([166.70.13.52]) by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1gUvAR-00083C-PJ; Thu, 06 Dec 2018 08:02:19 -0700 Received: from ip68-227-174-240.om.om.cox.net ([68.227.174.240] helo=x220.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1gUv9e-0008Ci-KU; Thu, 06 Dec 2018 08:02:19 -0700 From: ebiederm@xmission.com (Eric W. Biederman) To: Christian Brauner Cc: linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, luto@kernel.org, arnd@arndb.de, serge@hallyn.com, jannh@google.com, akpm@linux-foundation.org, oleg@redhat.com, cyphar@cyphar.com, viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org, dancol@google.com, timmurray@google.com, linux-man@vger.kernel.org, keescook@chromium.org, fweimer@redhat.com, tglx@linutronix.de, x86@kernel.org References: <20181206121858.12215-1-christian@brauner.io> Date: Thu, 06 Dec 2018 09:01:19 -0600 In-Reply-To: <20181206121858.12215-1-christian@brauner.io> (Christian Brauner's message of "Thu, 6 Dec 2018 13:18:58 +0100") Message-ID: <87sgzahf7k.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1gUv9e-0008Ci-KU;;;mid=<87sgzahf7k.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=68.227.174.240;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1+ICgacCitJQTRMUUrzB9HxBNXAz7Le6gg= X-SA-Exim-Connect-IP: 68.227.174.240 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on sa03.xmission.com X-Spam-Level: ** X-Spam-Status: No, score=2.4 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,FVGT_m_MULTI_ODD,LotsOfNums_01,T_TM2_M_HEADER_IN_MSG, T_TooManySym_01,T_TooManySym_02,T_XMDrugObfuBody_08 autolearn=disabled version=3.4.0 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 1.2 LotsOfNums_01 BODY: Lots of long strings of numbers * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa03 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject * 0.4 FVGT_m_MULTI_ODD Contains multiple odd letter combinations * 0.0 T_TooManySym_02 5+ unique symbols in subject * 1.0 T_XMDrugObfuBody_08 obfuscated drug references X-Spam-DCC: XMission; sa03 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;Christian Brauner X-Spam-Relay-Country: X-Spam-Timing: total 46981 ms - load_scoreonly_sql: 0.06 (0.0%), signal_user_changed: 71 (0.2%), b_tie_ro: 64 (0.1%), parse: 63 (0.1%), extract_message_metadata: 1225 (2.6%), get_uri_detail_list: 248 (0.5%), tests_pri_-1000: 2177 (4.6%), tests_pri_-950: 47 (0.1%), tests_pri_-900: 51 (0.1%), tests_pri_-90: 1703 (3.6%), check_bayes: 1698 (3.6%), b_tokenize: 1217 (2.6%), b_tok_get_all: 192 (0.4%), b_comp_prob: 149 (0.3%), b_tok_touch_all: 46 (0.1%), b_finish: 4.3 (0.0%), tests_pri_0: 40954 (87.2%), check_dkim_signature: 15 (0.0%), check_dkim_adsp: 80 (0.2%), tests_pri_10: 118 (0.3%), tests_pri_500: 393 (0.8%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH v4] signal: add taskfd_send_signal() syscall X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Christian Brauner writes: > The kill() syscall operates on process identifiers (pid). After a process > has exited its pid can be reused by another process. If a caller sends a > signal to a reused pid it will end up signaling the wrong process. This > issue has often surfaced and there has been a push [1] to address this > problem. > > This patch uses file descriptors (fd) from proc/ as stable handles on > struct pid. Even if a pid is recycled the handle will not change. The fd > can be used to send signals to the process it refers to. > Thus, the new syscall taskfd_send_signal() is introduced to solve this > problem. Instead of pids it operates on process fds (taskfd). I am not yet thrilled with the taskfd naming. Is there any plan to support sesssions and process groups? I am concerned about using kill_pid_info. It does this: rcu_read_lock(); p = pid_task(pid, PIDTYPE_PID); if (p) error = group_send_sig_info(sig, info, p, PIDTYPE_TGID); rcu_read_unlock(); That pid_task(PIDTYPE_PID) is fine for existing callers that need bug compatibility. For new interfaces I would strongly prefer pid_task(PIDTYPE_TGID). Eric > > /* prototype and argument /* > long taskfd_send_signal(int taskfd, int sig, siginfo_t *info, unsigned int flags); > > In addition to the taskfd and signal argument it takes an additional > siginfo_t and flags argument. If the siginfo_t argument is NULL then > taskfd_send_signal() behaves like kill(). If it is not NULL > taskfd_send_signal() behaves like rt_sigqueueinfo(). > The flags argument is added to allow for future extensions of this syscall. > It currently needs to be passed as 0. Failing to do so will cause EINVAL. > > /* taskfd_send_signal() replaces multiple pid-based syscalls */ > The taskfd_send_signal() syscall currently takes on the job of the > following syscalls that operate on pids: > - kill(2) > - rt_sigqueueinfo(2) > The syscall is defined in such a way that it can also operate on thread fds > instead of process fds. In a future patchset I will extend it to operate on > taskfds from /proc//task/ at which point it will additionally > take on the job of: > - tgkill(2) > - rt_tgsigqueueinfo(2) > Right now this is intentionally left out to keep this patchset as simple as > possible (cf. [4]). If a taskfd of /proc//task/ is passed > EOPNOTSUPP will be returned to give userspace a way to detect when I add > support for such taskfds (cf. [10]). > > /* naming */ > The original prefix of the syscall was "procfd_". However, it has been > pointed out that since this syscall will eventually operate on both > processes and threads the name should reflect this (cf. [12]). The best > possible candidate even from a userspace perspective seems to be "task". > Although "task" is used internally we are alreday deviating from POSIX by > using file descriptors to processes in the first place so it seems fine to > use the "taskfd_" prefix. > > The name taskfd_send_signal() was also chosen to reflect the fact that it > takes on the job of multiple syscalls. It is intentional that the name is > not reminiscent of neither kill(2) nor rt_sigqueueinfo(2). Not the fomer > because it might imply that taskfd_send_signal() is only a replacement for > kill(2) and not the latter because it is a hazzle to remember the correct > spelling (especially for non-native speakers) and because it is not > descriptive enough of what the syscall actually does. The name > "taskfd_send_signal" makes it very clear that its job is to send signals. > > /* O_PATH file descriptors */ > taskfds opened as O_PATH fds cannot be used to send signals to a process > (cf. [2]). Signaling processes through taskfds is the equivalent of writing > to a file. Thus, this is not an operation that operates "purely at the > file descriptor level" as required by the open(2) manpage. > > /* zombies */ > Zombies can be signaled just as any other process. No special error will be > reported since a zombie state is an unreliable state (cf. [3]). > > /* cross-namespace signals */ > The patch currently enforces that the signaler and signalee either are in > the same pid namespace or that the signaler's pid namespace is an ancestor > of the signalee's pid namespace. This is done for the sake of simplicity > and because it is unclear to what values certain members of struct > siginfo_t would need to be set to (cf. [5], [6]). > > /* compat syscalls */ > It became clear that we would like to avoid adding compat syscalls (cf. > [7]). The compat syscall handling is now done in kernel/signal.c itself by > adding __copy_siginfo_from_user_generic() which lets us avoid compat > syscalls (cf. [8]). It should be noted that the addition of > __copy_siginfo_from_user_any() is caused by a bug in the original > implementation of rt_sigqueueinfo(2) (cf. 12). > With upcoming rework for syscall handling things might improve > significantly (cf. [11]) and __copy_siginfo_from_user_any() will not gain > any additional callers. > > /* testing */ > This patch was tested on x64 and x86. > > /* userspace usage */ > An asciinema recording for the basic functionality can be found under [9]. > With this patch a process can be killed via: > > #define _GNU_SOURCE > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > > static inline int do_taskfd_send_signal(int taskfd, int sig, siginfo_t *info, > unsigned int flags) > { > #ifdef __NR_taskfd_send_signal > return syscall(__NR_taskfd_send_signal, taskfd, sig, info, flags); > #else > return -ENOSYS; > #endif > } > > int main(int argc, char *argv[]) > { > int fd, ret, saved_errno, sig; > > if (argc < 3) > exit(EXIT_FAILURE); > > fd = open(argv[1], O_DIRECTORY | O_CLOEXEC); > if (fd < 0) { > printf("%s - Failed to open \"%s\"\n", strerror(errno), argv[1]); > exit(EXIT_FAILURE); > } > > sig = atoi(argv[2]); > > printf("Sending signal %d to process %s\n", sig, argv[1]); > ret = do_taskfd_send_signal(fd, sig, NULL, 0); > > saved_errno = errno; > close(fd); > errno = saved_errno; > > if (ret < 0) { > printf("%s - Failed to send signal %d to process %s\n", > strerror(errno), sig, argv[1]); > exit(EXIT_FAILURE); > } > > exit(EXIT_SUCCESS); > } > > [1]: https://lore.kernel.org/lkml/20181029221037.87724-1-dancol@google.com/ > [2]: https://lore.kernel.org/lkml/874lbtjvtd.fsf@oldenburg2.str.redhat.com/ > [3]: https://lore.kernel.org/lkml/20181204132604.aspfupwjgjx6fhva@brauner.io/ > [4]: https://lore.kernel.org/lkml/20181203180224.fkvw4kajtbvru2ku@brauner.io/ > [5]: https://lore.kernel.org/lkml/20181121213946.GA10795@mail.hallyn.com/ > [6]: https://lore.kernel.org/lkml/20181120103111.etlqp7zop34v6nv4@brauner.io/ > [7]: https://lore.kernel.org/lkml/36323361-90BD-41AF-AB5B-EE0D7BA02C21@amacapital.net/ > [8]: https://lore.kernel.org/lkml/87tvjxp8pc.fsf@xmission.com/ > [9]: https://asciinema.org/a/IQjuCHew6bnq1cr78yuMv16cy > [10]: https://lore.kernel.org/lkml/20181203180224.fkvw4kajtbvru2ku@brauner.io/ > [11]: https://lore.kernel.org/lkml/F53D6D38-3521-4C20-9034-5AF447DF62FF@amacapital.net/ > [12]: https://lore.kernel.org/lkml/87zhtjn8ck.fsf@xmission.com/ > > Cc: Arnd Bergmann > Cc: "Eric W. Biederman" > Cc: Serge Hallyn > Cc: Jann Horn > Cc: Andy Lutomirsky > Cc: Andrew Morton > Cc: Oleg Nesterov > Cc: Aleksa Sarai > Cc: Al Viro > Cc: Florian Weimer > Signed-off-by: Christian Brauner > Reviewed-by: Kees Cook > --- > Changelog: > v4: > - updated asciinema to use "taskfd_" prefix > - s/procfd_send_signal/taskfd_send_signal/g > - s/proc_is_tgid_procfd/tgid_taskfd_to_pid/b > - s/proc_is_tid_procfd/tid_taskfd_to_pid/b > - s/__copy_siginfo_from_user_generic/__copy_siginfo_from_user_any/g > - make it clear that __copy_siginfo_from_user_any() is a workaround caused > by a bug in the original implementation of rt_sigqueueinfo() > - when spoofing signals turn them into regular kill signals if si_code is > set to SI_USER > - make proc_is_t{g}id_procfd() return struct pid to allow proc_pid() to > stay private to fs/proc/ > v3: > - add __copy_siginfo_from_user_generic() to avoid adding compat syscalls > - s/procfd_signal/procfd_send_signal/g > - change type of flags argument from int to unsigned int > - add comment about what happens to zombies > - add proc_is_tid_procfd() > - return EOPNOTSUPP when /proc//task/ fd is passed so userspace > has a way of knowing that tidfds are not supported currently. > v2: > - define __NR_procfd_signal in unistd.h > - wire up compat syscall > - s/proc_is_procfd/proc_is_tgid_procfd/g > - provide stubs when CONFIG_PROC_FS=n > - move proc_pid() to linux/proc_fs.h header > - use proc_pid() to grab struct pid from /proc/ fd > v1: > - patch introduced > --- > arch/x86/entry/syscalls/syscall_32.tbl | 1 + > arch/x86/entry/syscalls/syscall_64.tbl | 1 + > fs/proc/base.c | 20 +++- > include/linux/proc_fs.h | 12 +++ > include/linux/syscalls.h | 3 + > include/uapi/asm-generic/unistd.h | 4 +- > kernel/signal.c | 132 +++++++++++++++++++++++-- > 7 files changed, 164 insertions(+), 9 deletions(-) > > diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl > index 3cf7b533b3d1..7efb63fd0617 100644 > --- a/arch/x86/entry/syscalls/syscall_32.tbl > +++ b/arch/x86/entry/syscalls/syscall_32.tbl > @@ -398,3 +398,4 @@ > 384 i386 arch_prctl sys_arch_prctl __ia32_compat_sys_arch_prctl > 385 i386 io_pgetevents sys_io_pgetevents __ia32_compat_sys_io_pgetevents > 386 i386 rseq sys_rseq __ia32_sys_rseq > +387 i386 taskfd_send_signal sys_taskfd_send_signal __ia32_sys_taskfd_send_signal > diff --git a/arch/x86/entry/syscalls/syscall_64.tbl b/arch/x86/entry/syscalls/syscall_64.tbl > index f0b1709a5ffb..be894f4a84e9 100644 > --- a/arch/x86/entry/syscalls/syscall_64.tbl > +++ b/arch/x86/entry/syscalls/syscall_64.tbl > @@ -343,6 +343,7 @@ > 332 common statx __x64_sys_statx > 333 common io_pgetevents __x64_sys_io_pgetevents > 334 common rseq __x64_sys_rseq > +335 common taskfd_send_signal __x64_sys_taskfd_send_signal > > # > # x32-specific system call numbers start at 512 to avoid cache impact > diff --git a/fs/proc/base.c b/fs/proc/base.c > index ce3465479447..b8b88bfee455 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -716,8 +716,6 @@ static int proc_pid_permission(struct inode *inode, int mask) > return generic_permission(inode, mask); > } > > - > - > static const struct inode_operations proc_def_inode_operations = { > .setattr = proc_setattr, > }; > @@ -3038,6 +3036,15 @@ static const struct file_operations proc_tgid_base_operations = { > .llseek = generic_file_llseek, > }; > > +struct pid *tgid_taskfd_to_pid(const struct file *file) > +{ > + if (!d_is_dir(file->f_path.dentry) || > + (file->f_op != &proc_tgid_base_operations)) > + return ERR_PTR(-EBADF); > + > + return proc_pid(file_inode(file)); > +} > + > static struct dentry *proc_tgid_base_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags) > { > return proc_pident_lookup(dir, dentry, > @@ -3422,6 +3429,15 @@ static const struct file_operations proc_tid_base_operations = { > .llseek = generic_file_llseek, > }; > > +struct pid *tid_taskfd_to_pid(const struct file *file) > +{ > + if (!d_is_dir(file->f_path.dentry) || > + (file->f_op != &proc_tid_base_operations)) > + return ERR_PTR(-EBADF); > + > + return proc_pid(file_inode(file)); > +} > + > static const struct inode_operations proc_tid_base_inode_operations = { > .lookup = proc_tid_base_lookup, > .getattr = pid_getattr, > diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h > index d0e1f1522a78..96817415c420 100644 > --- a/include/linux/proc_fs.h > +++ b/include/linux/proc_fs.h > @@ -73,6 +73,8 @@ struct proc_dir_entry *proc_create_net_single_write(const char *name, umode_t mo > int (*show)(struct seq_file *, void *), > proc_write_t write, > void *data); > +extern struct pid *tgid_taskfd_to_pid(const struct file *file); > +extern struct pid *tid_taskfd_to_pid(const struct file *file); > > #else /* CONFIG_PROC_FS */ > > @@ -114,6 +116,16 @@ static inline int remove_proc_subtree(const char *name, struct proc_dir_entry *p > #define proc_create_net(name, mode, parent, state_size, ops) ({NULL;}) > #define proc_create_net_single(name, mode, parent, show, data) ({NULL;}) > > +static inline struct pid *tgid_taskfd_to_pid(const struct file *file) > +{ > + return ERR_PTR(-EBADF); > +} > + > +static inline struct pid *tid_taskfd_to_pid(const struct file *file) > +{ > + return ERR_PTR(-EBADF); > +} > + > #endif /* CONFIG_PROC_FS */ > > struct net; > diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h > index 2ac3d13a915b..5ffe194ef29b 100644 > --- a/include/linux/syscalls.h > +++ b/include/linux/syscalls.h > @@ -907,6 +907,9 @@ asmlinkage long sys_statx(int dfd, const char __user *path, unsigned flags, > unsigned mask, struct statx __user *buffer); > asmlinkage long sys_rseq(struct rseq __user *rseq, uint32_t rseq_len, > int flags, uint32_t sig); > +asmlinkage long sys_taskfd_send_signal(int taskfd, int sig, > + siginfo_t __user *info, > + unsigned int flags); > > /* > * Architecture-specific system calls > diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h > index 538546edbfbd..9343dca63fd9 100644 > --- a/include/uapi/asm-generic/unistd.h > +++ b/include/uapi/asm-generic/unistd.h > @@ -738,9 +738,11 @@ __SYSCALL(__NR_statx, sys_statx) > __SC_COMP(__NR_io_pgetevents, sys_io_pgetevents, compat_sys_io_pgetevents) > #define __NR_rseq 293 > __SYSCALL(__NR_rseq, sys_rseq) > +#define __NR_taskfd_send_signal 294 > +__SYSCALL(__NR_taskfd_send_signal, sys_taskfd_send_signal) > > #undef __NR_syscalls > -#define __NR_syscalls 294 > +#define __NR_syscalls 295 > > /* > * 32 bit systems traditionally used different > diff --git a/kernel/signal.c b/kernel/signal.c > index 9a32bc2088c9..a00a4bcb7605 100644 > --- a/kernel/signal.c > +++ b/kernel/signal.c > @@ -19,7 +19,9 @@ > #include > #include > #include > +#include > #include > +#include > #include > #include > #include > @@ -3286,6 +3288,16 @@ COMPAT_SYSCALL_DEFINE4(rt_sigtimedwait, compat_sigset_t __user *, uthese, > } > #endif > > +static inline void prepare_kill_siginfo(int sig, struct kernel_siginfo *info) > +{ > + clear_siginfo(info); > + info->si_signo = sig; > + info->si_errno = 0; > + info->si_code = SI_USER; > + info->si_pid = task_tgid_vnr(current); > + info->si_uid = from_kuid_munged(current_user_ns(), current_uid()); > +} > + > /** > * sys_kill - send a signal to a process > * @pid: the PID of the process > @@ -3295,16 +3307,124 @@ SYSCALL_DEFINE2(kill, pid_t, pid, int, sig) > { > struct kernel_siginfo info; > > - clear_siginfo(&info); > - info.si_signo = sig; > - info.si_errno = 0; > - info.si_code = SI_USER; > - info.si_pid = task_tgid_vnr(current); > - info.si_uid = from_kuid_munged(current_user_ns(), current_uid()); > + prepare_kill_siginfo(sig, &info); > > return kill_something_info(sig, &info, pid); > } > > +/* > + * Verify that the signaler and signalee either are in the same pid namespace > + * or that the signaler's pid namespace is an ancestor of the signalee's pid > + * namespace. > + */ > +static bool may_signal_taskfd(struct pid *pid) > +{ > + struct pid_namespace *active = task_active_pid_ns(current); > + struct pid_namespace *p = ns_of_pid(pid); > + > + for (;;) { > + if (!p) > + return false; > + if (p == active) > + break; > + p = p->parent; > + } > + > + return true; > +} > + > +static int copy_siginfo_from_user_any(kernel_siginfo_t *kinfo, siginfo_t *info) > +{ > +#ifdef CONFIG_COMPAT > + /* > + * Avoid hooking up compat syscalls and instead handle necessary > + * conversions here. Note, this is a stop-gap measure and should not be > + * considered a generic solution. > + */ > + if (in_compat_syscall()) > + return copy_siginfo_from_user32( > + kinfo, (struct compat_siginfo __user *)info); > +#endif > + return copy_siginfo_from_user(kinfo, info); > +} > + > +/** > + * sys_taskfd_send_signal - send a signal to a process through a task file > + * descriptor > + * @taskfd: the file descriptor of the process > + * @sig: signal to be sent > + * @info: the signal info > + * @flags: future flags to be passed > + * > + * Return: 0 on success, negative errno on failure > + */ > +SYSCALL_DEFINE4(taskfd_send_signal, int, taskfd, int, sig, > + siginfo_t __user *, info, unsigned int, flags) > +{ > + int ret; > + struct fd f; > + struct pid *pid; > + kernel_siginfo_t kinfo; > + > + /* Enforce flags be set to 0 until we add an extension. */ > + if (flags) > + return -EINVAL; > + > + f = fdget_raw(taskfd); > + if (!f.file) > + return -EBADF; > + > + pid = tid_taskfd_to_pid(f.file); > + if (!IS_ERR(pid)) { > + /* > + * Give userspace a way to detect /proc//task/ > + * support when we add it. > + */ > + ret = -EOPNOTSUPP; > + goto err; > + } > + > + /* Is this a procfd? */ > + pid = tgid_taskfd_to_pid(f.file); > + if (IS_ERR(pid)) { > + ret = PTR_ERR(pid); > + goto err; > + } > + > + ret = -EINVAL; > + if (!may_signal_taskfd(pid)) > + goto err; > + > + if (info) { > + ret = copy_siginfo_from_user_any(&kinfo, info); > + if (unlikely(ret)) > + goto err; > + > + ret = -EINVAL; > + if (unlikely(sig != kinfo.si_signo)) > + goto err; > + > + if ((task_pid(current) != pid) && > + (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL)) { > + /* Only allow sending arbitrary signals to yourself. */ > + ret = -EPERM; > + if (kinfo.si_code != SI_USER) > + goto err; > + > + /* Turn this into a regular kill signal. */ > + prepare_kill_siginfo(sig, &kinfo); > + } > + } else { > + prepare_kill_siginfo(sig, &kinfo); > + } > + > + ret = kill_pid_info(sig, &kinfo, pid); > + > +err: > + fdput(f); > + return ret; > +} > + > static int > do_send_specific(pid_t tgid, pid_t pid, int sig, struct kernel_siginfo *info) > {