From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001
From: Serge E. Hallyn <serue@us.ibm.com>
Date: Wed, 31 Oct 2007 11:22:04 -0500
Subject: [PATCH 1/1] file capabilities: allow sigcont within session (v2)

(This is a proposed fix to http://bugzilla.kernel.org/show_bug.cgi?id=9247)

Allow sigcont to be sent to a process with greater capabilities
if it is in the same session.  Otherwise, a shell from which
I've started a root shell and done 'suspend' can't be restarted
by the parent shell.

Also don't do file-capabilities signaling checks when uids for
the processes don't match, since the standard check_kill_permission
will have done those checks.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
---
 security/commoncap.c |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index bf67871..4de6857 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -526,6 +526,15 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
 	if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
 		return 0;
 
+	/* if tasks have same uid, then check_kill_permission did check */
+	if (current->uid == p->uid || current->euid == p->uid ||
+		current->uid == p->suid || current->euid == p->suid)
+		return 0;
+
+	/* sigcont is permitted within same session */
+	if (sig == SIGCONT && (task_session_nr(current)==task_session_nr(p)))
+		return 0;
+
 	if (secid)
 		/*
 		 * Signal sent as a particular user.
-- 
1.5.1.1.GIT

-

Description doesn't match the code.  And in the non-matching uid case,
check_kill_permission typically returns an error before it reaches

I'm confused - if you are allowing all signals within the same uid, then
what was the point of having a cap_task_kill at all?  cap_task_kill was
supposed to prevent a process with lesser capabilities from killing a
process with more capabilities, even if they have the same uid, so that
when you have a program marked with file capabilities instead of a
setuid-0 program, that program can't be sent arbitrary signals by the
-- 
Stephen Smalley
National Security Agency

-

Egads.  I knew I should've just kept that part out of it for the first
patch...

New patch on top of previous one is appended.


Typically, but when it doesn't, then the file capabilities shouldn't get
in the way of check_kill_permission() granting permission.  The file

No I was confused.  I wanted to allow for tasks with different uids.

But in fact that's not safe anyway.  A binary can be setuid and owned by
a non-root user user1, have file capabilities, and be executed by user2.

(Anyway given how grossly my code missed my erroneous intentions, I need
to add some signal tests to my file capabilities tests - and get those

Thanks, Stephen.

From 98741f07ab1bc4a1fc2de7fedfb9023ea30bf988 Mon Sep 17 00:00:00 2001
From: Serge E. Hallyn <serue@us.ibm.com>
Date: Thu, 1 Nov 2007 08:20:12 -0500
Subject: [PATCH 1/1] file capabilities: remove the non-matching uid special case for kill

There I went again having one patch do two (related) things.

Remove the special check I had added to cap_task_kill() for
non-matching uids.  In fact it turns out the check wouldn't be
safe even if I'd coded it correctly.  A binary can be setuid
and owned by a non-root user user1, have file capabilities, and
be executed by user2.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
---
 security/commoncap.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index f04784a..302e8d0 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -526,11 +526,6 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
 	if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
 		return 0;
 
-	/* if tasks have same uid, then check_kill_permission did check */
-	if (current->uid == p->uid || current->euid == p->uid ||
-		current->uid == p->suid || current->euid == p->suid)
-		return 0;
-
 	/* sigcont is permitted within same session */
 	if (sig == SIGCON...
[ message continues ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Dang! I stared at the code a long time to see what you were doing...

And concluded that you had coded what you intended; allow processes that
share UIDs to kill one another - independent of capabilities. The fact
that this is the reverse of the words you used to introduce your patch,
I didn't notice.

I totally missed the fact that this was (unwanted) new functionality!!
Mea culpa for the bad review.

I certainly Sign off the revised patch.

Cheers

Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHLOicmwytjiwfWMwRAq5HAJ49eajMT4myf1oKfrab2oCw/o9HnwCgkYt2
RyIsmHVWmClsrxCz5s1HRJY=
=hGLO
-----END PGP SIGNATURE-----
-

Tested-by: "Theodore Ts'o" <tytso@mit.edu>

Thanks, this fixes the issue I reported!

				- Ted
-

I assume you'll just collapse the two patches together before you
submit them?  I've been distracted dealing with the ALPM suspend2ram
regression, which Jeff Garzik beat me to in bisecting, but I'll try
out your newer patch now...

						- Ted
-

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[kernel/signal.c:check_kill_permission() could probably benefit from
getting more consistently indented!]

I'm not sure I can grok your comment. Did you mean:

  /* as per, check_kill_permission(), permit if tasks have same uid */

As to content:

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>

Cheers

Andrew

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFHKVpRQheEq9QabfIRAnp9AKCZHb526eioQWKycH7V7LfcHP7VvQCdG0AJ
QTVOLvQ2hip+j2qZ1mb2Y6w=
=45et
-----END PGP SIGNATURE-----
-

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ackd.

Cheers

Andrew

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHKSuSmwytjiwfWMwRAkHXAJ4lr07yW936ychUGNxqQSOanZTecwCePYVc
d8uP0I3AEDjTpG8s7Nojo7Y=
=8777
-----END PGP SIGNATURE-----
-