Re: How to lock current->signal->tty

From: Stephen Smalley
Date: Tue Aug 08 2006 - 13:08:05 EST

On Tue, 2006-08-08 at 16:17 +0100, Alan Cox wrote:
> The biggest crawly horror I've found so far in auditing the tty locking
> is current->signal->tty. The tty layer currently and explicitly protects
> this using tty_mutex. The core kernel likewise knows about this.
> Unfortunately:
> SELinux doesn't do any locking at all
> Dquot passes the tty to tty_write_message without locking
> audit_log_exit doesn't do any locking at all
> acct.c thinks tasklist_lock protects it (wrong)
> drivers/char/sx misuses it unlocked in debug info
> fs/proc/array thinks tasklist_lock will save it (also wrong)
> fs3270 does fascinating things with it which don't look safe
> ebtables remote debugging (#if 0 thankfully) does no locking
> and just for fun calls the tty driver directly with no
> driver locking either.
> voyager_thread sets up a thread and then touches ->tty unlocked
> (and it seems daemonize already fixed it)
> Sparc solaris_procids sets it to NULL without locking
> arch/ia64/kernel/unanligned seems to write to it without locking
> arch/um/kernel/exec.c appears to believe task_lock is used
> The semantics are actually as follows
> signal->tty must not be changed without holding tty_mutex
> signal->tty must not be used unless tty_mutex is held from before
> reading it to completing using it
> Simple if(signal->tty == NULL) type checks are ok
> I'm looking longer term at tty ref counting and the like but for now and
> current distributions it might be an idea to fix the existing problems.

Does this look sane? Or do we need a common helper factored from
disassociate_ctty()? Why is the locking different for TIOCNOTTY in the
non-leader case?


selinux: fix tty locking

Take tty_mutex when accessing ->signal->tty.
Noted by Alan Cox.

Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>


security/selinux/hooks.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5d1b8c7..4b0f904 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1711,10 +1711,12 @@ static inline void flush_unauthorized_fi
struct avc_audit_data ad;
struct file *file, *devnull = NULL;
- struct tty_struct *tty = current->signal->tty;
+ struct tty_struct *tty;
struct fdtable *fdt;
long j = -1;

+ mutex_lock(&tty_mutex);
+ tty = current->signal->tty;
if (tty) {
file = list_entry(tty->, typeof(*file), f_u.fu_list);
@@ -1734,6 +1736,7 @@ static inline void flush_unauthorized_fi
+ mutex_unlock(&tty_mutex);

/* Revalidate access to inherited open files. */

Stephen Smalley
National Security Agency

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at