[PATCH] Add signal state inheritance control to SELinux

From: Stephen Smalley <sds@epoch.ncsc.mil> This patch against 2.6.0 adds a control to the SELinux module over the inheritance of signal-related state upon security context transitions in order to protect the new security context. If the permission is not granted by the policy for a given pair of contexts, then transitions between them will clear itimers, flush all pending signals, forcibly flush signal handlers, and unblock all signals. Roland McGrath provided input and feedback on the patch. Please apply, or let James Morris and me know if you'd like this to be resubmitted later. Thanks.

[PATCH] Add signal state inheritance control to SELinux
From: Stephen Smalley <sds@epoch.ncsc.mil> This patch against 2.6.0 adds a control to the SELinux module over the inheritance of signal-related state upon security context transitions in order to protect the new security context. If the permission is not granted by the policy for a given pair of contexts, then transitions between them will clear itimers, flush all pending signals, forcibly flush signal handlers, and unblock all signals. Roland McGrath provided input and feedback on the patch. Please apply, or let James Morris and me know if you'd like this to be resubmitted later. Thanks.
23644641 · Andrew Morton · Linus Torvalds · e606758e · 23644641 · 23644641
Commit 23644641 authored Dec 29, 2003 by Andrew Morton Committed by Linus Torvalds Dec 29, 2003
3 changed files
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1515,7 +1515,8 @@ static void selinux_bprm_compute_creds(struct linux_binprm *bprm)
 	struct bprm_security_struct *bsec;
 	u32 sid;
 	struct av_decision avd;
-	int rc;
+	struct itimerval itimer;
+	int rc, i;

 	secondary_ops->bprm_compute_creds(bprm);

@@ -1565,6 +1566,26 @@ static void selinux_bprm_compute_creds(struct linux_binprm *bprm)
 		/* Close files for which the new task SID is not authorized. */
 		flush_unauthorized_files(current->files);

+		/* Check whether the new SID can inherit signal state
+		   from the old SID.  If not, clear itimers to avoid
+		   subsequent signal generation and flush and unblock
+		   signals. This must occur _after_ the task SID has
+                  been updated so that any kill done after the flush
+                  will be checked against the new SID. */
+		rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
+				  PROCESS__SIGINH, NULL, NULL);
+		if (rc) {
+			memset(&itimer, 0, sizeof itimer);
+			for (i = 0; i < 3; i++)
+				do_setitimer(i, &itimer, NULL);
+			flush_signals(current);
+			spin_lock_irq(&current->sighand->siglock);
+			flush_signal_handlers(current, 1);
+			sigemptyset(&current->blocked);
+			recalc_sigpending();
+			spin_unlock_irq(&current->sighand->siglock);
+		}
+
 		/* Wake up the parent if it is waiting so that it can
 		   recheck wait permission to the new task SID. */
 		wake_up_interruptible(&current->parent->wait_chldexit);

--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -66,6 +66,7 @@ static struct av_perm_to_string av_perm_to_string[] = {
   { SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec" },
   { SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate" },
   { SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure" },
+   { SECCLASS_PROCESS, PROCESS__SIGINH, "siginh" },
   { SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue" },
   { SECCLASS_MSG, MSG__SEND, "send" },
   { SECCLASS_MSG, MSG__RECEIVE, "receive" },

--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -450,6 +450,7 @@
 #define PROCESS__SETEXEC                          0x00020000UL
 #define PROCESS__SETFSCREATE                      0x00040000UL
 #define PROCESS__NOATSECURE                       0x00080000UL
+#define PROCESS__SIGINH                           0x00100000UL

 #define IPC__SETATTR                              0x00000008UL
 #define IPC__READ                                 0x00000010UL