On Tue, Feb 20, 2024 at 12:00:12PM +0100, Oleg Nesterov wrote: > On 02/20, Christian Brauner wrote: > > > > On Tue, Feb 20, 2024 at 10:02:56AM +0100, Oleg Nesterov wrote: > > > > > > Ah. IIRC criu uses this hack to restore the pending (arbitrary) signals > > > collected at dump time. > > > > > > I was a bit surprise sys_pidfd_send_signal() allows this hack too, I don't > > > > I think that we simply mirrored the restrictions in the other system > > calls. > > > > > think that criu uses pidfd at restore time, but I do not know. > > > > Hm, I just checked and it doesn't use pidfd_send_signal(). It uses > > pidfds but only for pid reuse detection for RPC clients. > > But perhaps something else already uses pidfd_send_signal() with info != NULL > or with info->si_code == SI_USER, we can't know. Please see below. > > > So right now si_code is blocked for >= 0 and for SI_TKILL. If we were to > > simply ensure that si_code can't be < 0 then this amounts to effectively > > blocking @info from being filled in by userspace at all. Because 0 is a > > valid value. > > I'am afraid I misunderstand you again... 0 == SI_USER is not a valid value > when siginfo != NULL. Yes, I know. We're on the same page. I would just have preferred to restrict remulating si_code completely because we don't know whether that's actually used for pidfd_send_signal(). The point I was trying to make is that si_code has no value that means "unset" so restricting si_code further means always rejecting @info when it's passed. > > Perhaps we can kill the "task_pid(current) != pid" check and just return > EPERM if "kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL", I don't think > anobody needs pidfd_send_send_signal() to signal yourself. See below. Yeah. > > > + /* Currently unused. */ > > + if (info) > > + return -EINVAL; > > Well, to me this looks like the unnecessary restriction... And why? Because right now we aren't sure that it's used and we aren't sure what use-cases are there. > > But whatever we do, > > > - /* Only allow sending arbitrary signals to yourself. */ > > - ret = -EPERM; > > - if ((task_pid(current) != pid) && > > - (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL)) > > - goto err; > > Can I suggest to fix this check in your tree (add type > PIDTYPE_TGID as > we discussed) first, then do other changes on top? Yes, absolutely. That was always the plan. See appended patch I put on top. I put you as author since you did spot this. Let me know if you don't want that.
>From 67a1a77630c00f457a46e1164caf0d32c0edc127 Mon Sep 17 00:00:00 2001 From: Oleg Nesterov <oleg@xxxxxxxxxx> Date: Tue, 20 Feb 2024 13:53:00 +0100 Subject: [PATCH] signal: adjust si_code restriction in pidfd_send_signal() Since we now allow specifying PIDFD_SEND_PROCESS_GROUP for pidfd_send_signal() to send signals to process groups we need to adjust the check restricting si_code emulation by userspace to account for PIDTYPE_PGID. Reported-by: Oleg Nesterov <oleg@xxxxxxxxxx> Signed-off-by: Oleg Nesterov <oleg@xxxxxxxxxx> Link: https://lore.kernel.org/r/20240214123655.GB16265@xxxxxxxxxx Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx> --- kernel/signal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/signal.c b/kernel/signal.c index cf6539a6b1cb..5f5620c81d3a 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -3956,7 +3956,7 @@ SYSCALL_DEFINE4(pidfd_send_signal, int, pidfd, int, sig, /* Only allow sending arbitrary signals to yourself. */ ret = -EPERM; - if ((task_pid(current) != pid) && + if (((task_pid(current) != pid) || type > PIDTYPE_TGID) && (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL)) goto err; } else { -- 2.43.0
