signals: don't abuse __flush_signals() in selinux_bprm_committed_creds()

selinux_bprm_committed_creds()->__flush_signals() is not right, we
shouldn't clear TIF_SIGPENDING unconditionally. There can be other
reasons for signal_pending(): freezing(), JOBCTL_PENDING_MASK, and
potentially more.

Also change this code to check fatal_signal_pending() rather than
SIGNAL_GROUP_EXIT, it looks a bit better.

Now we can kill __flush_signals() before it finds another buggy user.

Note: this code looks racy, we can flush a signal which was sent after
the task SID has been updated.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>

1 files changed, 4 insertions, 2 deletions

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 99c4a00cce4e..8abbd548ece9 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2416,10 +2416,12 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
                 for (i = 0; i < 3; i++)
                         do_setitimer(i, &itimer, NULL);
                 spin_lock_irq(&current->sighand->siglock);
-                if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
-                        __flush_signals(current);
+                if (!fatal_signal_pending(current)) {
+                        flush_sigqueue(&current->pending);
+                        flush_sigqueue(&current->signal->shared_pending);
                         flush_signal_handlers(current, 1);
                         sigemptyset(&current->blocked);
+                        recalc_sigpending();
                 }
                 spin_unlock_irq(&current->sighand->siglock);
         }