On Mon, Nov 19, 2018 at 7:45 AM, Andy Lutomirski <luto@xxxxxxxxxx> wrote:
> On Mon, Nov 19, 2018 at 2:33 AM Christian Brauner <christian@xxxxxxxxxx> wrote:
>>
>> The kill() syscall operates on process identifiers. After a process has
>> exited its pid can be reused by another process. If a caller sends a signal
>> to a reused pid it will end up signaling the wrong process. This issue has
>> often surfaced and there has been a push [1] to address this problem.
>>
>> A prior patch has introduced the ability to get a file descriptor
>> referencing struct pid by opening /proc/<pid>. This guarantees a stable
>> handle on a process which can be used to send signals to the referenced
>> process. Discussion has shown that a dedicated syscall is preferable over
>> ioctl()s. Thus, the new syscall procfd_signal() is introduced to solve
>> this problem. It operates on a process file descriptor.
>> The syscall takes an additional siginfo_t and flags argument. If siginfo_t
>> is NULL then procfd_signal() behaves like kill() if it is not NULL it
>> behaves like rt_sigqueueinfo.
>> The flags argument is added to allow for future extensions of this syscall.
>> It currently needs to be passed as 0.
>
> A few questions. First: you've made this work on /proc/PID, but
> should it also work on /proc/PID/task/TID to send signals to a
> specific thread?
+1
>> + if (info) {
>> + ret = __copy_siginfo_from_user(sig, &kinfo, info);
>> + if (unlikely(ret))
>> + goto err;
>> + /*
>> + * Not even root can pretend to send signals from the kernel.
>> + * Nor can they impersonate a kill()/tgkill(), which adds
>> + * source info.
>> + */
>> + ret = -EPERM;
>> + if ((kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL) &&
>> + (task_pid(current) != pid))
>> + goto err;
>
> Is the exception for signaling yourself actually useful here?
All the signal functions exempt the current process from access
checks. Whether that's useful or not (and I think it is), being
inconsistent here would be wrong.
