signals: cleanup security_task_kill() usage/implementation
Every implementation of ->task_kill() does nothing when the signal comes from the kernel. This is correct, but means that check_kill_permission() should call security_task_kill() only for SI_FROMUSER() case, and we can remove the same check from ->task_kill() implementations. (sadly, check_kill_permission() is the last user of signal->session/__session but we can't s/task_session_nr/task_session/ here). NOTE: Eric W. Biederman pointed out cap_task_kill() should die, and I think he is very right. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Serge Hallyn <serue@us.ibm.com> Cc: Roland McGrath <roland@redhat.com> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: David Quigley <dpquigl@tycho.nsa.gov> Cc: Eric Paris <eparis@redhat.com> Cc: Harald Welte <laforge@gnumonks.org> Cc: Pavel Emelyanov <xemul@openvz.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
9e3bd6c3fb
commit
3b5e9e53c6
|
@ -533,22 +533,23 @@ static int rm_from_queue(unsigned long mask, struct sigpending *s)
|
|||
static int check_kill_permission(int sig, struct siginfo *info,
|
||||
struct task_struct *t)
|
||||
{
|
||||
int error = -EINVAL;
|
||||
int error;
|
||||
|
||||
if (!valid_signal(sig))
|
||||
return -EINVAL;
|
||||
|
||||
if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
|
||||
return 0;
|
||||
|
||||
error = audit_signal_info(sig, t); /* Let audit system see the signal */
|
||||
if (error)
|
||||
return error;
|
||||
|
||||
if (info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info))) {
|
||||
error = audit_signal_info(sig, t); /* Let audit system see the signal */
|
||||
if (error)
|
||||
return error;
|
||||
error = -EPERM;
|
||||
if (((sig != SIGCONT) ||
|
||||
(task_session_nr(current) != task_session_nr(t)))
|
||||
&& (current->euid ^ t->suid) && (current->euid ^ t->uid)
|
||||
&& (current->uid ^ t->suid) && (current->uid ^ t->uid)
|
||||
&& !capable(CAP_KILL))
|
||||
return error;
|
||||
}
|
||||
if (((sig != SIGCONT) || (task_session_nr(current) != task_session_nr(t)))
|
||||
&& (current->euid ^ t->suid) && (current->euid ^ t->uid)
|
||||
&& (current->uid ^ t->suid) && (current->uid ^ t->uid)
|
||||
&& !capable(CAP_KILL))
|
||||
return -EPERM;
|
||||
|
||||
return security_task_kill(t, info, sig, 0);
|
||||
}
|
||||
|
|
|
@ -3286,9 +3286,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
|
|||
if (rc)
|
||||
return rc;
|
||||
|
||||
if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
|
||||
return 0;
|
||||
|
||||
if (!sig)
|
||||
perm = PROCESS__SIGNULL; /* null signal; existence test */
|
||||
else
|
||||
|
|
|
@ -1130,15 +1130,6 @@ static int smack_task_movememory(struct task_struct *p)
|
|||
static int smack_task_kill(struct task_struct *p, struct siginfo *info,
|
||||
int sig, u32 secid)
|
||||
{
|
||||
/*
|
||||
* Special cases where signals really ought to go through
|
||||
* in spite of policy. Stephen Smalley suggests it may
|
||||
* make sense to change the caller so that it doesn't
|
||||
* bother with the LSM hook in these cases.
|
||||
*/
|
||||
if (info != SEND_SIG_NOINFO &&
|
||||
(is_si_special(info) || SI_FROMKERNEL(info)))
|
||||
return 0;
|
||||
/*
|
||||
* Sending a signal requires that the sender
|
||||
* can write the receiver.
|
||||
|
|
Loading…
Reference in New Issue