signals: cleanup security_task_kill() usage/implementation
Oleg Nesterov [Wed, 30 Apr 2008 07:52:42 +0000 (00:52 -0700)]
Every implementation of ->task_kill() does nothing when the signal comes from
the kernel.  This is correct, but means that check_kill_permission() should
call security_task_kill() only for SI_FROMUSER() case, and we can remove the
same check from ->task_kill() implementations.

(sadly, check_kill_permission() is the last user of signal->session/__session
 but we can't s/task_session_nr/task_session/ here).

NOTE: Eric W.  Biederman pointed out cap_task_kill() should die, and I think
he is very right.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Serge Hallyn <serue@us.ibm.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: David Quigley <dpquigl@tycho.nsa.gov>
Cc: Eric Paris <eparis@redhat.com>
Cc: Harald Welte <laforge@gnumonks.org>
Cc: Pavel Emelyanov <xemul@openvz.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

kernel/signal.c
security/selinux/hooks.c
security/smack/smack_lsm.c

index f9a52c7..91d57f8 100644 (file)
@@ -533,22 +533,23 @@ static int rm_from_queue(unsigned long mask, struct sigpending *s)
 static int check_kill_permission(int sig, struct siginfo *info,
                                 struct task_struct *t)
 {
-       int error = -EINVAL;
+       int error;
+
        if (!valid_signal(sig))
-               return error;
+               return -EINVAL;
 
-       if (info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info))) {
-               error = audit_signal_info(sig, t); /* Let audit system see the signal */
-               if (error)
-                       return error;
-               error = -EPERM;
-               if (((sig != SIGCONT) ||
-                       (task_session_nr(current) != task_session_nr(t)))
-                   && (current->euid ^ t->suid) && (current->euid ^ t->uid)
-                   && (current->uid ^ t->suid) && (current->uid ^ t->uid)
-                   && !capable(CAP_KILL))
+       if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
+               return 0;
+
+       error = audit_signal_info(sig, t); /* Let audit system see the signal */
+       if (error)
                return error;
-       }
+
+       if (((sig != SIGCONT) || (task_session_nr(current) != task_session_nr(t)))
+           && (current->euid ^ t->suid) && (current->euid ^ t->uid)
+           && (current->uid ^ t->suid) && (current->uid ^ t->uid)
+           && !capable(CAP_KILL))
+               return -EPERM;
 
        return security_task_kill(t, info, sig, 0);
 }
index 85a2204..1b50a6e 100644 (file)
@@ -3286,9 +3286,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
        if (rc)
                return rc;
 
-       if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
-               return 0;
-
        if (!sig)
                perm = PROCESS__SIGNULL; /* null signal; existence test */
        else
index fe0ae1b..b5c8f92 100644 (file)
@@ -1131,15 +1131,6 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
                           int sig, u32 secid)
 {
        /*
-        * Special cases where signals really ought to go through
-        * in spite of policy. Stephen Smalley suggests it may
-        * make sense to change the caller so that it doesn't
-        * bother with the LSM hook in these cases.
-        */
-       if (info != SEND_SIG_NOINFO &&
-           (is_si_special(info) || SI_FROMKERNEL(info)))
-               return 0;
-       /*
         * Sending a signal requires that the sender
         * can write the receiver.
         */