diff options
| author | Andrew Morton <akpm@osdl.org> | 2003-12-29 23:43:11 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@home.osdl.org> | 2003-12-29 23:43:11 -0800 |
| commit | 236446415d197960007e8d5b17e62c86a6280f08 (patch) | |
| tree | 0f96785392db2255b29a1ecc8daa31d45d02b04f /security | |
| parent | e606758e59f0a821b1db8387f1199931d4cd307f (diff) | |
| download | history-236446415d197960007e8d5b17e62c86a6280f08.tar.gz | |
[PATCH] Add signal state inheritance control to SELinux
From: Stephen Smalley <sds@epoch.ncsc.mil>
This patch against 2.6.0 adds a control to the SELinux module over the
inheritance of signal-related state upon security context transitions in
order to protect the new security context. If the permission is not
granted by the policy for a given pair of contexts, then transitions
between them will clear itimers, flush all pending signals, forcibly
flush signal handlers, and unblock all signals. Roland McGrath provided
input and feedback on the patch.
Please apply, or let James Morris and me know if you'd like this to be
resubmitted later. Thanks.
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/hooks.c | 23 | ||||
| -rw-r--r-- | security/selinux/include/av_perm_to_string.h | 1 | ||||
| -rw-r--r-- | security/selinux/include/av_permissions.h | 1 |
3 files changed, 24 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0faf0a68cce1f..9ce5b79b13f5a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1515,7 +1515,8 @@ static void selinux_bprm_compute_creds(struct linux_binprm *bprm) struct bprm_security_struct *bsec; u32 sid; struct av_decision avd; - int rc; + struct itimerval itimer; + int rc, i; secondary_ops->bprm_compute_creds(bprm); @@ -1565,6 +1566,26 @@ static void selinux_bprm_compute_creds(struct linux_binprm *bprm) /* Close files for which the new task SID is not authorized. */ flush_unauthorized_files(current->files); + /* Check whether the new SID can inherit signal state + from the old SID. If not, clear itimers to avoid + subsequent signal generation and flush and unblock + signals. This must occur _after_ the task SID has + been updated so that any kill done after the flush + will be checked against the new SID. */ + rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, + PROCESS__SIGINH, NULL, NULL); + if (rc) { + memset(&itimer, 0, sizeof itimer); + for (i = 0; i < 3; i++) + do_setitimer(i, &itimer, NULL); + flush_signals(current); + spin_lock_irq(¤t->sighand->siglock); + flush_signal_handlers(current, 1); + sigemptyset(¤t->blocked); + recalc_sigpending(); + spin_unlock_irq(¤t->sighand->siglock); + } + /* Wake up the parent if it is waiting so that it can recheck wait permission to the new task SID. */ wake_up_interruptible(¤t->parent->wait_chldexit); diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index 6d85e60b8f883..b497a9636967c 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h @@ -66,6 +66,7 @@ static struct av_perm_to_string av_perm_to_string[] = { { SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec" }, { SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate" }, { SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure" }, + { SECCLASS_PROCESS, PROCESS__SIGINH, "siginh" }, { SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue" }, { SECCLASS_MSG, MSG__SEND, "send" }, { SECCLASS_MSG, MSG__RECEIVE, "receive" }, diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index f49a867448d28..876fecf4fe77b 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h @@ -450,6 +450,7 @@ #define PROCESS__SETEXEC 0x00020000UL #define PROCESS__SETFSCREATE 0x00040000UL #define PROCESS__NOATSECURE 0x00080000UL +#define PROCESS__SIGINH 0x00100000UL #define IPC__SETATTR 0x00000008UL #define IPC__READ 0x00000010UL |