|
Message-ID: <CAG48ez1+9Bfadu4y4TzPYJfFpLk+N8w7GdCE+xwNCM5TfQ8W8Q@mail.gmail.com> Date: Thu, 27 Sep 2018 00:58:00 +0200 From: Jann Horn <jannh@...gle.com> To: Casey Schaufler <casey.schaufler@...el.com>, Jiri Kosina <jikos@...nel.org> Cc: Kernel Hardening <kernel-hardening@...ts.openwall.com>, kernel list <linux-kernel@...r.kernel.org>, linux-security-module <linux-security-module@...r.kernel.org>, selinux@...ho.nsa.gov, Dave Hansen <dave.hansen@...el.com>, deneen.t.dock@...el.com, kristen@...ux.intel.com, Arjan van de Ven <arjan@...ux.intel.com> Subject: Re: [PATCH v5 2/5] Smack: Prepare for PTRACE_MODE_SCHED +Jiri On Thu, Sep 27, 2018 at 12:54 AM Schaufler, Casey <casey.schaufler@...el.com> wrote: > > -----Original Message----- > > From: Jann Horn [mailto:jannh@...gle.com] > > Sent: Wednesday, September 26, 2018 2:31 PM > > To: Schaufler, Casey <casey.schaufler@...el.com> > > Cc: Kernel Hardening <kernel-hardening@...ts.openwall.com>; kernel list > > <linux-kernel@...r.kernel.org>; linux-security-module <linux-security- > > module@...r.kernel.org>; selinux@...ho.nsa.gov; Hansen, Dave > > <dave.hansen@...el.com>; Dock, Deneen T <deneen.t.dock@...el.com>; > > kristen@...ux.intel.com; Arjan van de Ven <arjan@...ux.intel.com> > > Subject: Re: [PATCH v5 2/5] Smack: Prepare for PTRACE_MODE_SCHED > > > > On Wed, Sep 26, 2018 at 10:35 PM Casey Schaufler > > <casey.schaufler@...el.com> wrote: > > > A ptrace access check with mode PTRACE_MODE_SCHED gets called > > > from process switching code. This precludes the use of audit, > > > as the locking is incompatible. Don't do audit in the PTRACE_MODE_SCHED > > > case. > > > > > > Signed-off-by: Casey Schaufler <casey.schaufler@...el.com> > > > --- > > > security/smack/smack_lsm.c | 3 ++- > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > > > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > > > index 340fc30ad85d..ffa95bcab599 100644 > > > --- a/security/smack/smack_lsm.c > > > +++ b/security/smack/smack_lsm.c > > > @@ -422,7 +422,8 @@ static int smk_ptrace_rule_check(struct task_struct > > *tracer, > > > struct task_smack *tsp; > > > struct smack_known *tracer_known; > > > > > > - if ((mode & PTRACE_MODE_NOAUDIT) == 0) { > > > + if ((mode & PTRACE_MODE_NOAUDIT) == 0 && > > > + (mode & PTRACE_MODE_SCHED) == 0) { > > > > If you ORed PTRACE_MODE_NOAUDIT into the flags when calling the > > security hook, you could drop this patch, right? > > Yes. Since the PTRACE_MODE_NOAUDIT was in PTRACE_MODE_IBPB > in Jiri's previous patch set and not in PTRACE_MODE_SCHED in this one > I assumed that there was a good reason for it. Jiri, was there a good reason for it, and if so, what was it?
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.