rpms/kernel/F-8 linux-2.6-selinux-sigchld-wait.patch, NONE, 1.1 kernel.spec, 1.240, 1.241

Eric Paris (eparis) fedora-extras-commits at redhat.com
Tue Oct 23 18:28:03 UTC 2007 

Author: eparis

Update of /cvs/pkgs/rpms/kernel/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1679

Modified Files:
	kernel.spec 
Added Files:
	linux-2.6-selinux-sigchld-wait.patch 
Log Message:
* Tue Oct 23 2007 Eric Paris <eparis at redhat.com>
- check sigchld when waiting on a task (gdb/selinux interaction)


linux-2.6-selinux-sigchld-wait.patch:

--- NEW FILE linux-2.6-selinux-sigchld-wait.patch ---
From: Eric Paris <eparis at redhat.com>
Date: Mon, 22 Oct 2007 20:10:31 +0000 (-0400)
Subject: SELinux: always check SIGCHLD in selinux_task_wait
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fjmorris%2Fselinux-2.6.git;a=commitdiff_plain;h=8a53514043e380aa573baa805298a7727c993985

SELinux: always check SIGCHLD in selinux_task_wait

When checking if we can wait on a child we were looking at
p->exit_signal and trying to make the decision based on if the signal
would eventually be allowed.  One big flaw is that p->exit_signal is -1
for NPTL threads and so aignal_to_av was not actually checking SIGCHLD
which is what would have been sent.  Even is exit_signal was set to
something strange it wouldn't change the fact that the child was there
and needed to be waited on.  This patch just assumes wait is based on
SIGCHLD.  Specific permission checks are made when the child actually
attempts to send a signal.

This resolves the problem of things like using GDB on confined domains
such as in RH BZ 232371.  The confined domain did not have permission to
send a generic signal (exit_signal == -1) back to the unconfined GDB.
With this patch the GDB wait works and since the actual signal sent is
allowed everything functions as it should.

Signed-off-by: Eric Paris <eparis at redhat.com>
Signed-off-by: James Morris <jmorris at namei.org>
---

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 24e1b18..9f3124b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2977,11 +2977,7 @@ static int selinux_task_prctl(int option,
 
 static int selinux_task_wait(struct task_struct *p)
 {
-	u32 perm;
-
-	perm = signal_to_av(p->exit_signal);
-
-	return task_has_perm(p, current, perm);
+	return task_has_perm(p, current, PROCESS__SIGCHLD);
 }
 
 static void selinux_task_reparent_to_init(struct task_struct *p)


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-8/kernel.spec,v
retrieving revision 1.240
retrieving revision 1.241
diff -u -r1.240 -r1.241
--- kernel.spec	23 Oct 2007 17:53:07 -0000	1.240
+++ kernel.spec	23 Oct 2007 18:27:29 -0000	1.241
@@ -700,6 +700,7 @@
 Patch2200: linux-2.6-selinux-no-revalidate-read-write.patch
 Patch2201: linux-2.6-selinux-ebitmap-for-avc-miss.patch
 Patch2202: linux-2.6-selinux-ebitmap-for-avc-miss-cleanup.patch
+Patch2203: linux-2.6-selinux-sigchld-wait.patch
 # cputime accounting is broken, revert to 2.6.22 version
 Patch2220: linux-2.6-cputime-fix-accounting.patch
 
@@ -1267,6 +1268,7 @@
 ApplyPatch linux-2.6-selinux-no-revalidate-read-write.patch
 ApplyPatch linux-2.6-selinux-ebitmap-for-avc-miss.patch
 ApplyPatch linux-2.6-selinux-ebitmap-for-avc-miss-cleanup.patch
+ApplyPatch linux-2.6-selinux-sigchld-wait.patch
 
 # cputime accounting fix, fixes "task using 9999% of CPU"
 ApplyPatch linux-2.6-cputime-fix-accounting.patch
@@ -1866,6 +1868,9 @@
 
 
 %changelog
+* Tue Oct 23 2007 Eric Paris <eparis at redhat.com>
+- check sigchld when waiting on a task (gdb/selinux interaction)
+
 * Tue Oct 23 2007 John W. Linville <linville at redhat.com>
 - remove problematic hunk from ath5k fixes patch

More information about the scm-commits mailing list