capable hook call in must_not_trace_exec

• Previous message: KRAMER,STEVEN (HP-USA,ex1): "RE: GPL only usage of security.h"
• Next in thread: Greg KH: "Re: capable hook call in must_not_trace_exec"
• Reply: Greg KH: "Re: capable hook call in must_not_trace_exec"
• Reply: Chris Wright: "Re: capable hook call in must_not_trace_exec"
• Reply: Smalley, Stephen: "RE: capable hook call in must_not_trace_exec"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Is the call to security_ops->capable in fs/exec.c:must_not_trace_exec
still necessary?  It appears that 2.4.10 changed the ptrace logic to
check CAP_SYS_PTRACE for the parent process during ptrace_attach, setting
the PT_PTRACE_CAP flag if it is granted, and then merely checks this flag
in must_not_trace_exec.  Since our capable hook is called by capable
during the ptrace_attach, there doesn't appear to be a need to retain
the capable hook call in must_not_trace_exec.  (Previously,
must_not_trace_exec
was performing a cap_raised test on the parent, so we had replaced that test
with a call to our capable hook on the parent, but this change appears
to eliminate the need for this).

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Greg KH: "Re: GPL only usage of security.h"
• Previous message: KRAMER,STEVEN (HP-USA,ex1): "RE: GPL only usage of security.h"
• Next in thread: Greg KH: "Re: capable hook call in must_not_trace_exec"
• Reply: Greg KH: "Re: capable hook call in must_not_trace_exec"
• Reply: Chris Wright: "Re: capable hook call in must_not_trace_exec"
• Reply: Smalley, Stephen: "RE: capable hook call in must_not_trace_exec"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 08:11:53 PDT