Gitweb: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8a53514043e380aa573baa805298a7727c993985 Commit: 8a53514043e380aa573baa805298a7727c993985 Parent: 55b70a0300b873c0ec7ea6e33752af56f41250ce Author: Eric Paris <[EMAIL PROTECTED]> AuthorDate: Mon Oct 22 16:10:31 2007 -0400 Committer: James Morris <[EMAIL PROTECTED]> CommitDate: Tue Oct 23 08:47:48 2007 +1000
SELinux: always check SIGCHLD in selinux_task_wait When checking if we can wait on a child we were looking at p->exit_signal and trying to make the decision based on if the signal would eventually be allowed. One big flaw is that p->exit_signal is -1 for NPTL threads and so aignal_to_av was not actually checking SIGCHLD which is what would have been sent. Even is exit_signal was set to something strange it wouldn't change the fact that the child was there and needed to be waited on. This patch just assumes wait is based on SIGCHLD. Specific permission checks are made when the child actually attempts to send a signal. This resolves the problem of things like using GDB on confined domains such as in RH BZ 232371. The confined domain did not have permission to send a generic signal (exit_signal == -1) back to the unconfined GDB. With this patch the GDB wait works and since the actual signal sent is allowed everything functions as it should. Signed-off-by: Eric Paris <[EMAIL PROTECTED]> Signed-off-by: James Morris <[EMAIL PROTECTED]> --- security/selinux/hooks.c | 6 +----- 1 files changed, 1 insertions(+), 5 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 24e1b18..9f3124b 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2977,11 +2977,7 @@ static int selinux_task_prctl(int option, static int selinux_task_wait(struct task_struct *p) { - u32 perm; - - perm = signal_to_av(p->exit_signal); - - return task_has_perm(p, current, perm); + return task_has_perm(p, current, PROCESS__SIGCHLD); } static void selinux_task_reparent_to_init(struct task_struct *p) - To unsubscribe from this list: send the line "unsubscribe git-commits-head" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html