Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3b5e9e53 authored by Oleg Nesterov's avatar Oleg Nesterov Committed by Linus Torvalds
Browse files

signals: cleanup security_task_kill() usage/implementation 



Every implementation of ->task_kill() does nothing when the signal comes from
the kernel.  This is correct, but means that check_kill_permission() should
call security_task_kill() only for SI_FROMUSER() case, and we can remove the
same check from ->task_kill() implementations.

(sadly, check_kill_permission() is the last user of signal->session/__session
 but we can't s/task_session_nr/task_session/ here).

NOTE: Eric W.  Biederman pointed out cap_task_kill() should die, and I think
he is very right.

Signed-off-by: default avatarOleg Nesterov <oleg@tv-sign.ru>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Serge Hallyn <serue@us.ibm.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: David Quigley <dpquigl@tycho.nsa.gov>
Cc: Eric Paris <eparis@redhat.com>
Cc: Harald Welte <laforge@gnumonks.org>
Cc: Pavel Emelyanov <xemul@openvz.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 9e3bd6c3

kernel/signal.c

+14 −13
Original line number Diff line number Diff line
@@ -533,22 +533,23 @@ static int rm_from_queue(unsigned long mask, struct sigpending *s) 
static int check_kill_permission(int sig, struct siginfo *info,

				 struct task_struct *t)

{

	int error = -EINVAL;

	int error;



	if (!valid_signal(sig))

		return error;

		return -EINVAL;



	if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))

		return 0;



	if (info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info))) {

	error = audit_signal_info(sig, t); /* Let audit system see the signal */

	if (error)

		return error;

		error = -EPERM;

		if (((sig != SIGCONT) ||

			(task_session_nr(current) != task_session_nr(t)))



	if (((sig != SIGCONT) || (task_session_nr(current) != task_session_nr(t)))

	    && (current->euid ^ t->suid) && (current->euid ^ t->uid)

	    && (current->uid ^ t->suid) && (current->uid ^ t->uid)

	    && !capable(CAP_KILL))

		return error;

	}

		return -EPERM;



	return security_task_kill(t, info, sig, 0);

}

security/selinux/hooks.c

+0 −3
Original line number Diff line number Diff line
@@ -3286,9 +3286,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 
	if (rc)

		return rc;



	if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))

		return 0;



	if (!sig)

		perm = PROCESS__SIGNULL; /* null signal; existence test */

	else

security/smack/smack_lsm.c

+0 −9
Original line number Diff line number Diff line
@@ -1130,15 +1130,6 @@ static int smack_task_movememory(struct task_struct *p) 
static int smack_task_kill(struct task_struct *p, struct siginfo *info,

			   int sig, u32 secid)

{

	/*

	 * Special cases where signals really ought to go through

	 * in spite of policy. Stephen Smalley suggests it may

	 * make sense to change the caller so that it doesn't

	 * bother with the LSM hook in these cases.

	 */

	if (info != SEND_SIG_NOINFO &&

	    (is_si_special(info) || SI_FROMKERNEL(info)))

		return 0;

	/*

	 * Sending a signal requires that the sender

	 * can write the receiver.