From 72c1d912ff6340149431d12dddf1cdabbdf9455a Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Wed, 15 May 2024 11:21:23 -0400
Subject: [PATCH] su, sudo: allow sudo to signal all su domains

sudo sends a SIGWINCH to child processes when invoked. If an
administrator uses sudo in the fashion of "sudo su - root", sudo will
send a signal to the corresponding su process.

type=PROCTITLE msg=audit(1715721229.386:293930): proctitle=7375646F007375002D00726F6F74
type=SYSCALL msg=audit(1715721229.386:293930): arch=c000003e syscall=62 success=no exit=-13 a0=ffcaa72d a1=1c a2=0 a3=795615bb49d0 items=0 ppid=3496128 pid=3496140 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=14 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0 key=(null)
type=AVC msg=audit(1715721229.386:293930): avc:  denied  { signal } for  pid=3496140 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:sysadm_r:sysadm_su_t:s0 tclass=process permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/admin/su.if   | 24 ++++++++++++++++++++++--
 policy/modules/admin/su.te   |  1 +
 policy/modules/admin/sudo.if |  3 +++
 3 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index dce1a0ea9..3f2cb7e36 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -31,9 +31,10 @@
 template(`su_restricted_domain_template', `
 	gen_require(`
 		type su_exec_t;
+		attribute sudomain;
 	')
 
-	type $1_su_t;
+	type $1_su_t, sudomain;
 	domain_entry_file($1_su_t, su_exec_t)
 	domain_type($1_su_t)
 	domain_interactive_fd($1_su_t)
@@ -148,9 +149,10 @@ template(`su_restricted_domain_template', `
 template(`su_role_template',`
 	gen_require(`
 		type su_exec_t;
+		attribute sudomain;
 	')
 
-	type $1_su_t;
+	type $1_su_t, sudomain;
 	userdom_user_application_domain($1_su_t, su_exec_t)
 	domain_interactive_fd($1_su_t)
 	role $4 types $1_su_t;
@@ -309,3 +311,21 @@ interface(`su_exec',`
 	corecmd_search_bin($1)
 	can_exec($1, su_exec_t)
 ')
+
+#######################################
+## <summary>
+##	Send signals to all su domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`su_signal_all',`
+	gen_require(`
+		attribute sudomain;
+	')
+
+	allow $1 sudomain:process signal;
+')
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index 662f18629..721387ce4 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -14,6 +14,7 @@ gen_tunable(su_allow_user_exec_domains, false)
 #
 # Declarations
 #
+attribute sudomain;
 
 type su_exec_t;
 corecmd_executable_file(su_exec_t)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 0fe061361..e812a9823 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -213,6 +213,9 @@ template(`sudo_role_template',`
 		fprintd_dbus_chat($1_sudo_t)
 	')
 
+	optional_policy(`
+		su_signal_all($1_sudo_t)
+	')
 ')
 
 ########################################