Allow to use kill(2) in capability mode, but process can send a signal only

to himself. For example abort(3) at first tries to do kill(getpid(), SIGABRT) which was failing in capability mode, so the code was failing back to exit(1). Reviewed by: rwatson Obtained from: WHEEL Systems MFC after: 2 weeks
2012-11-27 10:22:40 +00:00 · 2012-11-27 10:22:40 +00:00 · 8890f5d020
commit 8890f5d020
parent b62d05fcf9
2 changed files with 13 additions and 0 deletions
--- a/sys/kern/capabilities.conf
+++ b/sys/kern/capabilities.conf
@ -336,6 +336,11 @@ issetugid
 ##
 kevent

+##
+## Allow kill(2), as we allow the process to send signals only to himself.
+##
+kill
+
 ##
 ## Allow message queue operations on file descriptors, subject to capability
 ## rights.
--- a/sys/kern/kern_sig.c
+++ b/sys/kern/kern_sig.c
@ -1679,6 +1679,14 @@ sys_kill(struct thread *td, struct kill_args *uap)
 	struct proc *p;
 	int error;

+	/*
+	 * A process in capability mode can send signals only to himself.
+	 * The main rationale behind this is that abort(3) is implemented as
+	 * kill(getpid(), SIGABRT).
+	 */
+	if (IN_CAPABILITY_MODE(td) && uap->pid != td->td_proc->p_pid)
+		return (ECAPMODE);
+
 	AUDIT_ARG_SIGNUM(uap->signum);
 	AUDIT_ARG_PID(uap->pid);
 	if ((u_int)uap->signum > _SIG_MAXSIG)