diff options
author | Oleg Nesterov <oleg@tv-sign.ru> | 2008-04-30 09:53:01 +0200 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-04-30 17:29:37 +0200 |
commit | 2e2ba22ea4fd4bb85f0fa37c521066db6775cbef (patch) | |
tree | aada1523affbcbe1301decad43ad0875e1f680c4 /kernel | |
parent | signals: send_signal: be paranoid about signalfd_notify() (diff) | |
download | linux-2e2ba22ea4fd4bb85f0fa37c521066db6775cbef.tar.xz linux-2e2ba22ea4fd4bb85f0fa37c521066db6775cbef.zip |
signals: check_kill_permission: check session under tasklist_lock
This wasn't documented, but as Atsushi Tsuji pointed out
check_kill_permission() needs tasklist_lock for task_session_nr(). I missed
this fact when removed tasklist from the callers.
Change check_kill_permission() to take tasklist_lock for the SIGCONT case.
Re-order security checks so that we take tasklist_lock only if/when it is
actually needed. This is a minimal fix for now, tasklist will be removed
later.
Also change the code to use task_session() instead of task_session_nr().
Also, remove the SIGCONT check from cap_task_kill(), it is bogus (and the
whole function is bogus. Serge, Eric, why it is still alive?).
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Acked-by: Atsushi Tsuji <a-tsuji@bk.jp.nec.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/signal.c | 24 |
1 files changed, 19 insertions, 5 deletions
diff --git a/kernel/signal.c b/kernel/signal.c index 251cc13720bd..24be82c0aae3 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -533,6 +533,7 @@ static int rm_from_queue(unsigned long mask, struct sigpending *s) static int check_kill_permission(int sig, struct siginfo *info, struct task_struct *t) { + struct pid *sid; int error; if (!valid_signal(sig)) @@ -545,11 +546,24 @@ static int check_kill_permission(int sig, struct siginfo *info, if (error) return error; - if (((sig != SIGCONT) || (task_session_nr(current) != task_session_nr(t))) - && (current->euid ^ t->suid) && (current->euid ^ t->uid) - && (current->uid ^ t->suid) && (current->uid ^ t->uid) - && !capable(CAP_KILL)) - return -EPERM; + if ((current->euid ^ t->suid) && (current->euid ^ t->uid) && + (current->uid ^ t->suid) && (current->uid ^ t->uid) && + !capable(CAP_KILL)) { + switch (sig) { + case SIGCONT: + read_lock(&tasklist_lock); + sid = task_session(t); + read_unlock(&tasklist_lock); + /* + * We don't return the error if sid == NULL. The + * task was unhashed, the caller must notice this. + */ + if (!sid || sid == task_session(current)) + break; + default: + return -EPERM; + } + } return security_task_kill(t, info, sig, 0); } |