On 11/30/2018 7:14 AM, Florian Weimer wrote:

Is it guaranteed that tasks in the same thread group can always send
signals to each other, irrespective of their respective credentials
structs?

No. An LSM may chose to disallow this based on just about any
criteria it desires.

It's not clear to me whether this is always possible based on the
security_task_kill implementations I've examined.

SELinux, Smack and AppArmor make their decisions based on
the task_struct credential, so if it's possible to change
the LSM attributes at the task granularity, it's possible
to have a process that can't always talk to itself.

I want to support per-thread setresuid/setresgid,

That's pretty dangerous in its own right. Effectively
the process containing the threads has multiple UIDs.
That complicates the DAC model significantly.

but we also use
signals for inter-thread communication.

It's unfortunate that no one has seriously proposed
mode bits on processes for signal delivery. The UID
matching policy is inconvenient in a lot of cases.
Hmmm...

This is mainly for thread
cancellation; the setxgid stuff isn't needed for threads with private
credentials.  I wonder if I need to disable cancellation for threads
with such credentials.

Thanks,
Florian

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor