lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090506045241.GA26214@redhat.com>
Date:	Wed, 6 May 2009 06:52:41 +0200
From:	Oleg Nesterov <oleg@...hat.com>
To:	Roland McGrath <roland@...hat.com>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	Chris Wright <chrisw@...s-sol.org>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/3] ptrace: ptrace_attach: check PF_KTHREAD +
	exit_state instead of ->mm

On 05/05, Roland McGrath wrote:
>
> This changes the order of the already-traced and security checks.
> It would match the previous behavior to have the ->exit_state and ->ptrace
> checks before __ptrace_may_access().  This is a small nit, but it could
> affect whether some existing harmless usage pattern starts generating new
> access failure logging from security modules (e.g. SELinux avc denials).

Another subtle change I forgot to comment.

> I don't see any reason you can't just swap the order back as it was before.

The last patch in series, "do not use task_lock()", is the reason.

We need tasklist for writing to check (and set) ->ptrace, but we need
task_lock() to call __ptrace_may_access().

We can preserve the current behaviour, we can do get_task_mm() beforehand,
modify __ptrace_may_access() a bit, and call __ptrace_may_access() under
tasklist later (in fact, this was the very first version of this patch which
I didn't send).

But do we really care? If selinux denies to ptrace this task, can't we
return -EACESS regardless of ->ptrace?

Oleg.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ