* Smalley, Stephen (Stephen_Smalleyat_private) wrote: > > Is the call to security_ops->capable in fs/exec.c:must_not_trace_exec > still necessary? It appears that 2.4.10 changed the ptrace logic to > check CAP_SYS_PTRACE for the parent process during ptrace_attach, setting > the PT_PTRACE_CAP flag if it is granted, and then merely checks this flag > in must_not_trace_exec. Since our capable hook is called by capable > during the ptrace_attach, there doesn't appear to be a need to retain > the capable hook call in must_not_trace_exec. (Previously, > must_not_trace_exec > was performing a cap_raised test on the parent, so we had replaced that test > with a call to our capable hook on the parent, but this change appears > to eliminate the need for this). that looks right to me. -chris _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 10:33:38 PDT