* David Wagner (dawat_private) wrote: > Chris Wright wrote: > >What do we do with complex logic like (arch/i386/kernel/ptrace.c): > > > >if(((current->uid != child->euid) || > > (current->uid != child->suid) || > > (current->uid != child->uid) || > > (current->gid != child->egid) || > > (current->gid != child->sgid) || > > (!cap_issubset(child->cap_permitted, current->cap_permitted)) || > > (current->gid != child->gid)) && !capable(CAP_SYS_PTRACE)) > > goto out_tsk; > >rmb(); > >if (!child->dumpable && !capable(CAP_SYS_PTRACE)) > > goto out_tsk; > > Can the following be used instead? > > no_ptrace = security_ops->ptrace_hook(...); > if (no_ptrace) > goto out_tsk; > if(((current->uid != child->euid) || > (current->uid != child->suid) || > (current->uid != child->uid) || > (current->gid != child->egid) || > (current->gid != child->sgid) || > (!cap_issubset(child->cap_permitted, current->cap_permitted)) || > (current->gid != child->gid)) && !capable(CAP_SYS_PTRACE)) > goto out_tsk; > rmb(); > if (!child->dumpable && !capable(CAP_SYS_PTRACE)) > goto out_tsk; > > What am I missing? You are missing the call to cap_issubset(). This is a capabilities call. Currently, all the capabilities bits are stored in the per task security blob (i.e. child->cap_permitted is not relevant). Stephen Smalley made a great suggestion to move that check into the prior ptrace_hook check for the capabillities module, so the ptrace hook implementation for the capabilities module would be: (!cap_issubset(child, parent) && !capable(CAP_SYS_PTRACE) I believe that solves the issue cleanly. -chris _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Jun 11 2001 - 10:11:30 PDT