mirror of
https://github.com/torvalds/linux.git
synced 2025-04-06 00:16:18 +00:00
18eb75f3af
Because Linux credentials are managed per thread, user space relies on some hack to synchronize credential update across threads from the same process. This is required by the Native POSIX Threads Library and implemented by set*id(2) wrappers and libcap(3) to use tgkill(2) to synchronize threads. See nptl(7) and libpsx(3). Furthermore, some runtimes like Go do not enable developers to have control over threads [1]. To avoid potential issues, and because threads are not security boundaries, let's relax the Landlock (optional) signal scoping to always allow signals sent between threads of the same process. This exception is similar to the __ptrace_may_access() one. hook_file_set_fowner() now checks if the target task is part of the same process as the caller. If this is the case, then the related signal triggered by the socket will always be allowed. Scoping of abstract UNIX sockets is not changed because kernel objects (e.g. sockets) should be tied to their creator's domain at creation time. Note that creating one Landlock domain per thread puts each of these threads (and their future children) in their own scope, which is probably not what users expect, especially in Go where we do not control threads. However, being able to drop permissions on all threads should not be restricted by signal scoping. We are working on a way to make it possible to atomically restrict all threads of a process with the same domain [2]. Add erratum for signal scoping. Closes: https://github.com/landlock-lsm/go-landlock/issues/36 Fixes: 54a6e6bbf3be ("landlock: Add signal scoping") Fixes: c8994965013e ("selftests/landlock: Test signal scoping for threads") Depends-on: 26f204380a3c ("fs: Fix file_set_fowner LSM hook inconsistencies") Link: https://pkg.go.dev/kernel.org/pub/linux/libs/security/libcap/psx [1] Link: https://github.com/landlock-lsm/linux/issues/2 [2] Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Cc: Serge Hallyn <serge@hallyn.com> Cc: Tahera Fahimi <fahimitahera@gmail.com> Cc: stable@vger.kernel.org Acked-by: Christian Brauner <brauner@kernel.org> Link: https://lore.kernel.org/r/20250318161443.279194-6-mic@digikod.net [mic: Add extra pointer check and RCU guard, and ease backport] Signed-off-by: Mickaël Salaün <mic@digikod.net>
20 lines
854 B
C
20 lines
854 B
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
|
|
/**
|
|
* DOC: erratum_2
|
|
*
|
|
* Erratum 2: Scoped signal handling
|
|
* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
*
|
|
* This fix addresses an issue where signal scoping was overly restrictive,
|
|
* preventing sandboxed threads from signaling other threads within the same
|
|
* process if they belonged to different domains. Because threads are not
|
|
* security boundaries, user space might assume that any thread within the same
|
|
* process can send signals between themselves (see :manpage:`nptl(7)` and
|
|
* :manpage:`libpsx(3)`). Consistent with :manpage:`ptrace(2)` behavior, direct
|
|
* interaction between threads of the same process should always be allowed.
|
|
* This change ensures that any thread is allowed to send signals to any other
|
|
* thread within the same process, regardless of their domain.
|
|
*/
|
|
LANDLOCK_ERRATUM(2)
|