[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-api
Subject:    Re: [apparmor] Security modules and sending signals within the same process
From:       John Johansen <john.johansen () canonical ! com>
Date:       2018-11-30 23:38:41
Message-ID: 0a19aab1-ce46-a906-75ad-f42d91427adf () canonical ! com
[Download RAW message or body]

On 11/30/18 9:54 AM, Casey Schaufler wrote:
> On 11/30/2018 7:14 AM, Florian Weimer wrote:
>> Is it guaranteed that tasks in the same thread group can always send
>> signals to each other, irrespective of their respective credentials
>> structs?
> 
> No. An LSM may chose to disallow this based on just about any
> criteria it desires.
> 

And apparmor is in fact doing this a few limited situations, userspace
has to request the profile change via an api, and regular policy
enforcement based on credentials mediates the signals. Its not
something we recommend but it has been used.


[prev in list] [next in list] [prev in thread] [next in thread]