From owner-cvs-all Sun Jan 6 14:46:48 2002 Delivered-To: cvs-all@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id EA63E37B420; Sun, 6 Jan 2002 14:46:38 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.5) with SMTP id g06MkYD96185; Sun, 6 Jan 2002 17:46:34 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Sun, 6 Jan 2002 17:46:33 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Alfred Perlstein Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/kern kern_sig.c In-Reply-To: <20020106164340.B14427@elvis.mu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 6 Jan 2002, Alfred Perlstein wrote: > * Robert Watson [020105 18:54] wrote: > > rwatson 2002/01/05 16:54:47 PST > > > > Modified files: > > sys/kern kern_sig.c > > Log: > > - Teach SIGIO code to use cr_cansignal() instead of a custom CANSIGIO() > > macro. As a result, mandatory signal delivery policies will be > > applied consistently across the kernel. > > > > - Note that this subtly changes the protection semantics, and we should > > watch out for any resulting breakage. Previously, delivery of SIGIO > > in this circumstance was limited to situations where the subject was > > privileged, or where one of the subject's (ruid, euid) matched one > > of the object's (ruid, euid). In the new scenario, subject (ruid, euid) > > are matched against the object's (ruid, svuid), and the object uid's > > must be a subset of the subject uid's. Likewise, jail now affects > > delivery, and special handling for P_SUGID of the object is present. > > This change can always be reversed or tweaked if it proves to disrupt > > application behavior substantially. > > Please provide a report on how previous SIGIO exploits behave with > this code. You can find mention of them in the cvs logs and most > likely at CERT. Basically make sure you haven't opened up any races > wrt falsely sending sigio to processes one shouldn't be able to. Arguably, this actually narrows the opportunity for vulnerabilities: previously, if a daemon set its euid to that of a user temporarily, the user processes could signal it using SIGIO. This is now prevented. I will review the various SIGIO exploits in the past and see if I can dig anything up. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message