Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110615142244.GA32753@openwall.com>
Date: Wed, 15 Jun 2011 18:22:44 +0400
From: Solar Designer <solar@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Subject: Re: [RFC 2/5 v3] procfs: add hidepid= and gid= mount options

Vasiliy,

On Wed, Jun 15, 2011 at 05:58:05PM +0400, Vasiliy Kulikov wrote:
> +	if (pid->hide_pid &&
> +	    !ptrace_may_access(task, PTRACE_MODE_READ) &&
> +	    !in_group_p(pid->pid_gid)) {

I think ptrace_may_access() involves capable() in some cases (when
access would otherwise be denied).  Thus, in order not to raise the used
privs flag unnecessarily, you need to check it last - after checking
in_group_p().

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.