On Mon, Sep 24, 2001 at 09:06:56AM -0500, Smalley, Stephen wrote: > > Is the call to security_ops->capable in fs/exec.c:must_not_trace_exec > still necessary? It appears that 2.4.10 changed the ptrace logic to > check CAP_SYS_PTRACE for the parent process during ptrace_attach, setting > the PT_PTRACE_CAP flag if it is granted, and then merely checks this flag > in must_not_trace_exec. Since our capable hook is called by capable > during the ptrace_attach, there doesn't appear to be a need to retain > the capable hook call in must_not_trace_exec. (Previously, > must_not_trace_exec > was performing a cap_raised test on the parent, so we had replaced that test > with a call to our capable hook on the parent, but this change appears > to eliminate the need for this). In looking at the code I think I agree with you. Shall I remove the hook? thanks, greg k-h _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 10:29:17 PDT