prctl: add PR_[GS]ET_PDEATHSIG_PROC

PR_SET_PDEATHSIG sets a parent death signal that the calling process will
get when its parent thread dies, even when the result of getppid() doesn't
change because the calling process is reparented to a different thread in
the same parent process.  When managing multiple processes, a
process-based parent death signal is much more useful.  E.g., to avoid
stray child processes.

PR_SET_PDEATHSIG_PROC sets a process-based death signal.  Unlike
PR_SET_PDEATHSIG, this is inherited across fork to allow killing a whole
subtree without race conditions.

This can be used for sandboxing when combined with a seccomp filter.

There have been previous attempts to support this by changing the behavior
of PR_SET_PDEATHSIG.  However, that would break existing applications.
See https://marc.info/?l=linux-kernel&m=117621804801689 and
https://bugzilla.kernel.org/show_bug.cgi?id=43300

Link: http://lkml.kernel.org/r/20170929123058.48924-1-j@bitron.ch
Signed-off-by: Jürg Billeter <j@bitron.ch>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Filipe Brandenburger <filbranden@google.com>
Cc: David Wilcox <davidvsthegiant@gmail.com>
Cc: "Adam H . Peterson" <alphaetapi@hotmail.com>
Cc: <hansecke@gmail.com>
Cc: <linux-api@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>

1 files changed, 1 insertions, 0 deletions

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9a46dc24ac10..a85fac3345df 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2654,6 +2654,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
 
 	/* Always clear parent death signal on SID transitions. */
 	current->pdeath_signal = 0;
+	current->signal->pdeath_signal_proc = 0;
 
 	/* Check whether the new SID can inherit resource limits from the old
 	 * SID.  If not, reset all soft limits to the lower of the current