git: 77ee83d12625 - releng/15.0 - sigqueue: In capability mode, only allow signalling self
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 09 Jun 2026 19:19:46 UTC
The branch releng/15.0 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=77ee83d12625fea81a278d53cc621c610c353955
commit 77ee83d12625fea81a278d53cc621c610c353955
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2026-05-26 13:24:36 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-08 15:39:32 +0000
sigqueue: In capability mode, only allow signalling self
This is copied from the check in kern_kill.
Approved by: so
Security: FreeBSD-SA-26:28.capsicum
Security: CVE-2026-45259
Reviewed by: markj, oshogbo
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57244
(cherry picked from commit b9d16b7fd2fa6bc4b3e8364804cbdc1b76ebe8a5)
(cherry picked from commit defd9b86ef995ce70363eae9b323d616bda865be)
---
contrib/capsicum-test/capmode.cc | 12 +++++++++---
sys/kern/kern_sig.c | 10 ++++++++++
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/contrib/capsicum-test/capmode.cc b/contrib/capsicum-test/capmode.cc
index 5ff025290211..d2eb1e8633a8 100644
--- a/contrib/capsicum-test/capmode.cc
+++ b/contrib/capsicum-test/capmode.cc
@@ -746,8 +746,8 @@ FORK_TEST(Capmode, NewThread) {
close(thread_pipe[1]);
}
-static volatile sig_atomic_t had_signal = 0;
-static void handle_signal(int) { had_signal = 1; }
+static volatile sig_atomic_t signal_cnt = 0;
+static void handle_signal(int) { signal_cnt++; }
FORK_TEST(Capmode, SelfKill) {
pid_t me = getpid();
@@ -765,7 +765,13 @@ FORK_TEST(Capmode, SelfKill) {
// Can only kill(2) to own pid.
EXPECT_CAPMODE(kill(child, SIGUSR1));
EXPECT_OK(kill(me, SIGUSR1));
- EXPECT_EQ(1, had_signal);
+ EXPECT_EQ(1, signal_cnt);
+
+ union sigval sv;
+ sv.sival_int = 0x1234;
+ EXPECT_CAPMODE(sigqueue(child, SIGUSR1, sv));
+ EXPECT_OK(sigqueue(me, SIGUSR1, sv));
+ EXPECT_EQ(2, signal_cnt);
signal(SIGUSR1, original);
}
diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c
index 1eac5cc2993f..40da0a79b810 100644
--- a/sys/kern/kern_sig.c
+++ b/sys/kern/kern_sig.c
@@ -2037,6 +2037,16 @@ kern_sigqueue(struct thread *td, pid_t pid, int signumf, union sigval *value)
if (pid <= 0)
return (EINVAL);
+ /*
+ * A process in capability mode can send signals only to itself.
+ */
+ if (pid != td->td_proc->p_pid) {
+ if (CAP_TRACING(td))
+ ktrcapfail(CAPFAIL_SIGNAL, &signum);
+ if (IN_CAPABILITY_MODE(td))
+ return (ECAPMODE);
+ }
+
if ((signumf & __SIGQUEUE_TID) == 0) {
if ((p = pfind_any(pid)) == NULL)
return (ESRCH);