| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Nov 2008 18:00:12 -0800 From: ebiederm@...ssion.com (Eric W. Biederman) To: Roland McGrath <roland@...hat.com> Cc: Oleg Nesterov <oleg@...hat.com>, Andrew Morton <akpm@...ux-foundation.org>, Pavel Emelyanov <xemul@...nvz.org>, "Serge E. Hallyn" <serue@...ibm.com>, Sukadev Bhattiprolu <sukadev@...ux.vnet.ibm.com>, linux-kernel@...r.kernel.org Subject: Re: [PATCH 1/2] protect /sbin/init from unwanted signals more Roland McGrath <roland@...hat.com> writes: > The effect is fine, but that seems like a kludgey way to do it. > I really don't think the sigaction case matters--certainly it will never > come up with SIGKILL. What about just this instead? > > --- a/kernel/signal.c > +++ b/kernel/signal.c > @@ -66,6 +66,15 @@ static int sig_ignored(struct task_struct *t, int sig) > return 0; > > handler = sig_handler(t, sig); > + > + /* > + * For init, short-circuit any signal without a handler. > + * We won't allow them to be delivered, so don't even queue them. > + */ > + if (unlikely(signal->flags & SIGNAL_UNKILLABLE) && > + (handler == SIG_IGN || handler == SIG_DFL)) > + return 1; > + > if (!sig_handler_ignored(handler, sig)) > return 0; > > With that, I wonder if the SIGNAL_UNKILLABLE checks in get_signal_to_deliver > and complete_signal are needed at all. Hmm, I guess we do because this > doesn't affect blocked signals, so they might be unblocked and delivered. > (Note that since it doesn't affect blocked signals, this doesn't break init > using sigwait if it wanted to.) Ah. That answers the question I had bouncing in the back of my head. My original analysis of the situation was that we should not send blocked signals. Treating handler != SIG_DFL as a permission check. Not as an optimization. Mostly because it is more consistent and uniform. inits today don't do anything with blocked signals. They explicitly ignore all signals, they don't want to deal with an enable those they do. Which I guess means in practice only SIGKILL and SIGSTOP are especially interesting, and we can't block those so worrying about blocked signals is no big deal. Which reminds me. I need to retest, but I had a case where I had a trivial init that set all signal handlers to SIG_IGN so it could ignore SIGCHLD. And not all of it's children were getting reaped automagically. Do we have a bug in the reparenting/reaping logic? Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists