| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87fty9pbd2.fsf_-_@xmission.com>
Date: Sun, 16 Sep 2018 20:04:41 +0200
From: ebiederm@...ssion.com (Eric W. Biederman)
To: <linux-kernel@...r.kernel.org>
Cc: Oleg Nesterov <oleg@...hat.com>,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: [PATCH 1/4] tty_io: Use group_send_sig_info in __do_SACK to note it is a session being killed
Replace send_sig and force_sig in __do_SAK with group_send_sig_info
the general helper for sending a signal to a process group. This is
wordier but it allows specifying PIDTYPE_SID so that the signal code
knows the signal went to a session.
Both force_sig() and send_sig(..., 1) specify SEND_SIG_PRIV and the
new call of group_send_sig_info does that explicitly. This is enough
to ensure even a pid namespace init is killed.
The global init remains unkillable. The guarantee that __do_SAK tries
to provide is a clean path to login to a machine. As the global init is
unkillable, if it chooses to hold open a tty it can violate this
guarantee. A technique other than killing processes would be needed
to provide this guarantee to userspace.
The only difference between force_sig and send_sig when sending
SIGKILL is that SIGNAL_UNKILLABLE is cleared. This has no affect on
the processing of a signal sent with SEND_SIG_PRIV by any process, making
it unnecessary, and not behavior that needs to be preserved.
force_sig was used originally because it did not take as many locks as
send_sig. Today send_sig, force_sig and group_send_sig_info take the
same locks when delivering a signal.
group_send_sig_info also contains a permission check that force_sig
and send_sig do not. However the presence of SEND_SIG_PRIV makes the
permission check a noop. So the permission check does not result
in any behavioral differences.
Signed-off-by: "Eric W. Biederman" <ebiederm@...ssion.com>
---
drivers/tty/tty_io.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 32bc3e3fe4d3..6553247a761f 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -2738,7 +2738,7 @@ void __do_SAK(struct tty_struct *tty)
do_each_pid_task(session, PIDTYPE_SID, p) {
tty_notice(tty, "SAK: killed process %d (%s): by session\n",
task_pid_nr(p), p->comm);
- send_sig(SIGKILL, p, 1);
+ group_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_SID);
} while_each_pid_task(session, PIDTYPE_SID, p);
/* Now kill any processes that happen to have the tty open */
@@ -2746,7 +2746,7 @@ void __do_SAK(struct tty_struct *tty)
if (p->signal->tty == tty) {
tty_notice(tty, "SAK: killed process %d (%s): by controlling tty\n",
task_pid_nr(p), p->comm);
- send_sig(SIGKILL, p, 1);
+ group_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_SID);
continue;
}
task_lock(p);
@@ -2754,7 +2754,7 @@ void __do_SAK(struct tty_struct *tty)
if (i != 0) {
tty_notice(tty, "SAK: killed process %d (%s): by fd#%d\n",
task_pid_nr(p), p->comm, i - 1);
- force_sig(SIGKILL, p);
+ group_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_SID);
}
task_unlock(p);
} while_each_thread(g, p);
--
2.17.1
Powered by blists - more mailing lists