From: Stephen Smalley This patch against 2.6.0 adds a control to the SELinux module over the inheritance of signal-related state upon security context transitions in order to protect the new security context. If the permission is not granted by the policy for a given pair of contexts, then transitions between them will clear itimers, flush all pending signals, forcibly flush signal handlers, and unblock all signals. Roland McGrath provided input and feedback on the patch. Please apply, or let James Morris and me know if you'd like this to be resubmitted later. Thanks. 25-akpm/security/selinux/hooks.c | 23 ++++++++++++++++++- 25-akpm/security/selinux/include/av_perm_to_string.h | 1 25-akpm/security/selinux/include/av_permissions.h | 1 3 files changed, 24 insertions(+), 1 deletion(-) diff -puN security/selinux/hooks.c~selinux-signal-state-inheritance-control security/selinux/hooks.c --- 25/security/selinux/hooks.c~selinux-signal-state-inheritance-control Tue Dec 23 13:04:35 2003 +++ 25-akpm/security/selinux/hooks.c Tue Dec 23 13:04:35 2003 @@ -1515,7 +1515,8 @@ static void selinux_bprm_compute_creds(s struct bprm_security_struct *bsec; u32 sid; struct av_decision avd; - int rc; + struct itimerval itimer; + int rc, i; secondary_ops->bprm_compute_creds(bprm); @@ -1565,6 +1566,26 @@ static void selinux_bprm_compute_creds(s /* Close files for which the new task SID is not authorized. */ flush_unauthorized_files(current->files); + /* Check whether the new SID can inherit signal state + from the old SID. If not, clear itimers to avoid + subsequent signal generation and flush and unblock + signals. This must occur _after_ the task SID has + been updated so that any kill done after the flush + will be checked against the new SID. */ + rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS, + PROCESS__SIGINH, NULL, NULL); + if (rc) { + memset(&itimer, 0, sizeof itimer); + for (i = 0; i < 3; i++) + do_setitimer(i, &itimer, NULL); + flush_signals(current); + spin_lock_irq(¤t->sighand->siglock); + flush_signal_handlers(current, 1); + sigemptyset(¤t->blocked); + recalc_sigpending(); + spin_unlock_irq(¤t->sighand->siglock); + } + /* Wake up the parent if it is waiting so that it can recheck wait permission to the new task SID. */ wake_up_interruptible(¤t->parent->wait_chldexit); diff -puN security/selinux/include/av_permissions.h~selinux-signal-state-inheritance-control security/selinux/include/av_permissions.h --- 25/security/selinux/include/av_permissions.h~selinux-signal-state-inheritance-control Tue Dec 23 13:04:35 2003 +++ 25-akpm/security/selinux/include/av_permissions.h Tue Dec 23 13:04:35 2003 @@ -450,6 +450,7 @@ #define PROCESS__SETEXEC 0x00020000UL #define PROCESS__SETFSCREATE 0x00040000UL #define PROCESS__NOATSECURE 0x00080000UL +#define PROCESS__SIGINH 0x00100000UL #define IPC__SETATTR 0x00000008UL #define IPC__READ 0x00000010UL diff -puN security/selinux/include/av_perm_to_string.h~selinux-signal-state-inheritance-control security/selinux/include/av_perm_to_string.h --- 25/security/selinux/include/av_perm_to_string.h~selinux-signal-state-inheritance-control Tue Dec 23 13:04:35 2003 +++ 25-akpm/security/selinux/include/av_perm_to_string.h Tue Dec 23 13:04:35 2003 @@ -66,6 +66,7 @@ static struct av_perm_to_string av_perm_ { SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec" }, { SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate" }, { SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure" }, + { SECCLASS_PROCESS, PROCESS__SIGINH, "siginh" }, { SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue" }, { SECCLASS_MSG, MSG__SEND, "send" }, { SECCLASS_MSG, MSG__RECEIVE, "receive" }, _