| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGXu5jJs-FQT93Og6ULiyugOs1nBCvMKXVrM_dnWTMLKj6ORLg@mail.gmail.com>
Date: Tue, 2 Oct 2018 14:07:01 -0700
From: Kees Cook <keescook@...omium.org>
To: Matthew Wilcox <willy@...radead.org>
Cc: Yves-Alexis Perez <corsac@...sac.net>,
Jonathan Corbet <corbet@....net>,
"open list:DOCUMENTATION" <linux-doc@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>, trivial@...nel.org
Subject: Re: [PATCH] yama: clarify ptrace_scope=2 in Yama documentation
On Tue, Oct 2, 2018 at 1:52 PM, Matthew Wilcox <willy@...radead.org> wrote:
> On Tue, Oct 02, 2018 at 10:47:23PM +0200, Yves-Alexis Perez wrote:
>> Current phrasing is ambiguous since it's unclear if attaching to a
>> children through PTRACE_TRACEME requires CAP_SYS_PTRACE. Rephrase the
>> sentence to make that clear.
>
> I disagree that your sentence makes that clear. How about:
>
>> 2 - admin-only attach:
>> - only processes with ``CAP_SYS_PTRACE`` may use ptrace
>> - with ``PTRACE_ATTACH``, or through children calling ``PTRACE_TRACEME``.
>> + only processes with ``CAP_SYS_PTRACE`` may use ptrace, either with
>> + ``PTRACE_ATTACH`` or through children calling ``PTRACE_TRACEME``.
>
> + only processes with ``CAP_SYS_PTRACE`` may use ptrace. This
> + restricts both ``PTRACE_ATTACH`` and ``PTRACE_TRACEME``.
PTRACE_TRACEME is done by the child, not the process with
CAP_SYS_PTRACE, so I still think the Yves-Alexis's is clearer. But if
other agree, I'm fine with it. :)
-Kees
--
Kees Cook
Pixel Security
Powered by blists - more mailing lists