sigqueue: In capability mode, only allow signalling self

This is copied from the check in kern_kill.

Reviewed by:	markj, oshogbo
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57244

sys/kern/kern_sig.c

@@ -2038,6 +2038,16 @@ kern_sigqueue(struct thread *td, pid_t pid, int signumf, union sigval *value)
 	if (pid <= 0)
 		return (EINVAL);
 
+	/*
+	 * A process in capability mode can send signals only to itself.
+	 */
+	if (pid != td->td_proc->p_pid) {
+		if (CAP_TRACING(td))
+			ktrcapfail(CAPFAIL_SIGNAL, &signum);
+		if (IN_CAPABILITY_MODE(td))
+			return (ECAPMODE);
+	}
+
 	if ((signumf & __SIGQUEUE_TID) == 0) {
 		if ((p = pfind_any(pid)) == NULL)
 			return (ESRCH);

tests/sys/capsicum/capmode.cc

@@ -703,8 +703,8 @@ FORK_TEST(Capmode, NewThread) {
   close(thread_pipe[1]);
 }
 
-static volatile sig_atomic_t had_signal = 0;
-static void handle_signal(int) { had_signal = 1; }
+static volatile sig_atomic_t signal_cnt = 0;
+static void handle_signal(int) { signal_cnt++; }
 
 FORK_TEST(Capmode, SelfKill) {
   pid_t me = getpid();
@@ -722,7 +722,13 @@ FORK_TEST(Capmode, SelfKill) {
   // Can only kill(2) to own pid.
   EXPECT_CAPMODE(kill(child, SIGUSR1));
   EXPECT_OK(kill(me, SIGUSR1));
-  EXPECT_EQ(1, had_signal);
+  EXPECT_EQ(1, signal_cnt);
+
+  union sigval sv;
+  sv.sival_int = 0x1234;
+  EXPECT_CAPMODE(sigqueue(child, SIGUSR1, sv));
+  EXPECT_OK(sigqueue(me, SIGUSR1, sv));
+  EXPECT_EQ(2, signal_cnt);
 
   signal(SIGUSR1, original);
 }