Merge branch 'master' of ssh://master.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6

1 files changed, 34 insertions, 12 deletions

diff --git a/kernel/signal.c b/kernel/signal.c
index 4e3cff10fdce..1186cf7fac77 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -636,13 +636,33 @@ static inline bool si_fromuser(const struct siginfo *info)
 }
 
 /*
+ * called with RCU read lock from check_kill_permission()
+ */
+static int kill_ok_by_cred(struct task_struct *t)
+{
+        const struct cred *cred = current_cred();
+        const struct cred *tcred = __task_cred(t);
+
+        if (cred->user->user_ns == tcred->user->user_ns &&
+            (cred->euid == tcred->suid ||
+             cred->euid == tcred->uid ||
+             cred->uid  == tcred->suid ||
+             cred->uid  == tcred->uid))
+                return 1;
+
+        if (ns_capable(tcred->user->user_ns, CAP_KILL))
+                return 1;
+
+        return 0;
+}
+
+/*
  * Bad permissions for sending the signal
  * - the caller must hold the RCU read lock
  */
 static int check_kill_permission(int sig, struct siginfo *info,
                                  struct task_struct *t)
 {
-        const struct cred *cred, *tcred;
         struct pid *sid;
         int error;
 
@@ -656,14 +676,8 @@ static int check_kill_permission(int sig, struct siginfo *info,
         if (error)
                 return error;
 
-        cred = current_cred();
-        tcred = __task_cred(t);
         if (!same_thread_group(current, t) &&
-            (cred->euid ^ tcred->suid) &&
-            (cred->euid ^ tcred->uid) &&
-            (cred->uid  ^ tcred->suid) &&
-            (cred->uid  ^ tcred->uid) &&
-            !capable(CAP_KILL)) {
+            !kill_ok_by_cred(t)) {
                 switch (sig) {
                 case SIGCONT:
                         sid = task_session(t);
@@ -2421,9 +2435,13 @@ SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t, pid, int, sig,
                 return -EFAULT;
 
         /* Not even root can pretend to send signals from the kernel.
-           Nor can they impersonate a kill(), which adds source info.  */
-        if (info.si_code >= 0)
+         * Nor can they impersonate a kill()/tgkill(), which adds source info.
+         */
+        if (info.si_code >= 0 || info.si_code == SI_TKILL) {
+                /* We used to allow any < 0 si_code */
+                WARN_ON_ONCE(info.si_code < 0);
                 return -EPERM;
+        }
         info.si_signo = sig;
 
         /* POSIX.1b doesn't mention process groups.  */
@@ -2437,9 +2455,13 @@ long do_rt_tgsigqueueinfo(pid_t tgid, pid_t pid, int sig, siginfo_t *info)
                 return -EINVAL;
 
         /* Not even root can pretend to send signals from the kernel.
-           Nor can they impersonate a kill(), which adds source info.  */
-        if (info->si_code >= 0)
+         * Nor can they impersonate a kill()/tgkill(), which adds source info.
+         */
+        if (info->si_code >= 0 || info->si_code == SI_TKILL) {
+                /* We used to allow any < 0 si_code */
+                WARN_ON_ONCE(info->si_code < 0);
                 return -EPERM;
+        }
         info->si_signo = sig;
 
         return do_send_specific(tgid, pid, sig, info);