signals: cleanup security_task_kill() usage/implementation

Every implementation of ->task_kill() does nothing when the signal comes from the kernel. This is correct, but means that check_kill_permission() should call security_task_kill() only for SI_FROMUSER() case, and we can remove the same check from ->task_kill() implementations. (sadly, check_kill_permission() is the last user of signal->session/__session but we can't s/task_session_nr/task_session/ here). NOTE: Eric W. Biederman pointed out cap_task_kill() should die, and I think he is very right. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Serge Hallyn <serue@us.ibm.com> Cc: Roland McGrath <roland@redhat.com> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: David Quigley <dpquigl@tycho.nsa.gov> Cc: Eric Paris <eparis@redhat.com> Cc: Harald Welte <laforge@gnumonks.org> Cc: Pavel Emelyanov <xemul@openvz.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Oleg Nesterov <oleg@tv-sign.ru> 2008-04-30 03:52:42 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2008-04-30 11:29:34 -0400
commit: 3b5e9e53c6f31b5a5a0f5c43707503c62bdefa46 (patch)
tree: 1244b7cf2755c06a8a793149ce4717e4a1311218
parent: 9e3bd6c3fb2334be171e69b432039cd18bce4458 (diff)
3 files changed, 14 insertions, 25 deletions
diff --git a/kernel/signal.c b/kernel/signal.c
index f9a52c721274..91d57f89f5a5 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -533,22 +533,23 @@ static int rm_from_queue(unsigned long mask, struct sigpending *s)
 static int check_kill_permission(int sig, struct siginfo *info,
                                 struct task_struct *t)
 {
-        int error = -EINVAL;
+        int error;
        if (!valid_signal(sig))
-                return error;
+                return -EINVAL;
-        if (info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info))) {
+        if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
-                error = audit_signal_info(sig, t); /* Let audit system see the signal */
+                return 0;
-                if (error)
-                        return error;
+        error = audit_signal_info(sig, t); /* Let audit system see the signal */
-                error = -EPERM;
+        if (error)
-                if (((sig != SIGCONT) ||
-                        (task_session_nr(current) != task_session_nr(t)))
-                    && (current->euid ^ t->suid) && (current->euid ^ t->uid)
-                    && (current->uid ^ t->suid) && (current->uid ^ t->uid)
-                    && !capable(CAP_KILL))
                return error;
-        }
+        if (((sig != SIGCONT) || (task_session_nr(current) != task_session_nr(t)))
+            && (current->euid ^ t->suid) && (current->euid ^ t->uid)
+            && (current->uid ^ t->suid) && (current->uid ^ t->uid)
+            && !capable(CAP_KILL))
+                return -EPERM;
        return security_task_kill(t, info, sig, 0);
 }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 85a220465a8f..1b50a6ebc55f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3286,9 +3286,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
        if (rc)
                return rc;
-        if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
-                return 0;
        if (!sig)
                perm = PROCESS__SIGNULL; /* null signal; existence test */
        else
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index fe0ae1bf1650..b5c8f9237008 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1131,15 +1131,6 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
                           int sig, u32 secid)
 {
        /*
-         * Special cases where signals really ought to go through
-         * in spite of policy. Stephen Smalley suggests it may
-         * make sense to change the caller so that it doesn't
-         * bother with the LSM hook in these cases.
-         */
-        if (info != SEND_SIG_NOINFO &&
-            (is_si_special(info) || SI_FROMKERNEL(info)))
-                return 0;
-        /*
         * Sending a signal requires that the sender
         * can write the receiver.
         */
author	Oleg Nesterov <oleg@tv-sign.ru>	2008-04-30 03:52:42 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2008-04-30 11:29:34 -0400
commit	3b5e9e53c6f31b5a5a0f5c43707503c62bdefa46 (patch)
tree	1244b7cf2755c06a8a793149ce4717e4a1311218
parent	9e3bd6c3fb2334be171e69b432039cd18bce4458 (diff)

diff --git a/kernel/signal.c b/kernel/signal.c index f9a52c721274..91d57f89f5a5 100644 --- a/kernel/signal.c +++ b/kernel/signal.c
@@ -533,22 +533,23 @@ static int rm_from_queue(unsigned long mask, struct sigpending *s)
533	static int check_kill_permission(int sig, struct siginfo *info,	533	static int check_kill_permission(int sig, struct siginfo *info,
534	struct task_struct *t)	534	struct task_struct *t)
535	{	535	{
536	int error = -EINVAL;	536	int error;
		537
537	if (!valid_signal(sig))	538	if (!valid_signal(sig))
538	return error;	539	return -EINVAL;
539		540
540	if (info == SEND_SIG_NOINFO \|\| (!is_si_special(info) && SI_FROMUSER(info))) {	541	if (info != SEND_SIG_NOINFO && (is_si_special(info) \|\| SI_FROMKERNEL(info)))
541	error = audit_signal_info(sig, t); /* Let audit system see the signal */	542	return 0;
542	if (error)	543
543	return error;	544	error = audit_signal_info(sig, t); /* Let audit system see the signal */
544	error = -EPERM;	545	if (error)
545	if (((sig != SIGCONT) \|\|
546	(task_session_nr(current) != task_session_nr(t)))
547	&& (current->euid ^ t->suid) && (current->euid ^ t->uid)
548	&& (current->uid ^ t->suid) && (current->uid ^ t->uid)
549	&& !capable(CAP_KILL))
550	return error;	546	return error;
551	}	547
		548	if (((sig != SIGCONT) \|\| (task_session_nr(current) != task_session_nr(t)))
		549	&& (current->euid ^ t->suid) && (current->euid ^ t->uid)
		550	&& (current->uid ^ t->suid) && (current->uid ^ t->uid)
		551	&& !capable(CAP_KILL))
		552	return -EPERM;
552		553
553	return security_task_kill(t, info, sig, 0);	554	return security_task_kill(t, info, sig, 0);
554	}	555	}


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 85a220465a8f..1b50a6ebc55f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -3286,9 +3286,6 @@ static int selinux_task_kill(struct task_struct p, struct siginfo info,
3286	if (rc)	3286	if (rc)
3287	return rc;	3287	return rc;
3288		3288
3289	if (info != SEND_SIG_NOINFO && (is_si_special(info) \|\| SI_FROMKERNEL(info)))
3290	return 0;
3291
3292	if (!sig)	3289	if (!sig)
3293	perm = PROCESS__SIGNULL; /* null signal; existence test */	3290	perm = PROCESS__SIGNULL; /* null signal; existence test */
3294	else	3291	else


diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index fe0ae1bf1650..b5c8f9237008 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c
@@ -1131,15 +1131,6 @@ static int smack_task_kill(struct task_struct p, struct siginfo info,
1131	int sig, u32 secid)	1131	int sig, u32 secid)
1132	{	1132	{
1133	/*	1133	/*
1134	* Special cases where signals really ought to go through
1135	* in spite of policy. Stephen Smalley suggests it may
1136	* make sense to change the caller so that it doesn't
1137	* bother with the LSM hook in these cases.
1138	*/
1139	if (info != SEND_SIG_NOINFO &&
1140	(is_si_special(info) \|\| SI_FROMKERNEL(info)))
1141	return 0;
1142	/*
1143	* Sending a signal requires that the sender	1134	* Sending a signal requires that the sender
1144	* can write the receiver.	1135	* can write the receiver.
1145	*/	1136	*/