On 11/30/2018 7:14 AM, Florian Weimer wrote: > Is it guaranteed that tasks in the same thread group can always send > signals to each other, irrespective of their respective credentials > structs? No. An LSM may chose to disallow this based on just about any criteria it desires. > It's not clear to me whether this is always possible based on the > security_task_kill implementations I've examined. SELinux, Smack and AppArmor make their decisions based on the task_struct credential, so if it's possible to change the LSM attributes at the task granularity, it's possible to have a process that can't always talk to itself. > I want to support per-thread setresuid/setresgid, That's pretty dangerous in its own right. Effectively the process containing the threads has multiple UIDs. That complicates the DAC model significantly. > but we also use > signals for inter-thread communication. It's unfortunate that no one has seriously proposed mode bits on processes for signal delivery. The UID matching policy is inconvenient in a lot of cases. Hmmm... > This is mainly for thread > cancellation; the setxgid stuff isn't needed for threads with private > credentials. I wonder if I need to disable cancellation for threads > with such credentials. > > Thanks, > Florian >
