LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

ptrace.2: Various fixes after review by Jann Horn 

Among other things, Jann pointed out that the commoncap LSM
is always invoked, and Kees Cook pointed out the relevant
kernel code:

===
> BTW, can you point me at the piece(s) of kernel code that show that
> "commoncap" is always invoked in addition to any other LSM that has
> been installed?

It's not entirely obvious, but the bottom of security/commoncap.c shows:

struct security_hook_list capability_hooks[] = {
        LSM_HOOK_INIT(capable, cap_capable),
...
};

void __init capability_add_hooks(void)
{
        security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks));
}

And security/security.c shows the initialization order of the LSMs:

int __init security_init(void)
{
        pr_info("Security Framework initialized\n");

        /*
         * Load minor LSMs, with the capability module always first.
         */
        capability_add_hooks();
        yama_add_hooks();
        loadpin_add_hooks();

        /*
         * Load all the remaining security modules.
         */
        do_security_initcalls();

        return 0;
}
===

Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2016-06-22 21:12:57 +02:00
parent 0647331a06
commit 611d3ac40a
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
man2/ptrace.2
View File

@ -2082,8 +2082,9 @@ is highly specific to the operating system and architecture.
Various parts of the kernel-user-space API (not just
.BR ptrace (2)
operations), require so-called "ptrace access mode permissions" which
are gated by Linux Security Modules (LSMs) such as
SELinux, Yama, Smack, or the default LSM.
are gated by any enabled Linux Security Module (LSMs)\(emfor example,
SELinux, Yama, or Smack\(emand by the the commoncap LSM
(which is always invoked).
Prior to Linux 2.6.27, all such checks were of a single type.
Since Linux 2.6.27,
.\" commit 006ebb40d3d65338bd74abb03b945f8d60e362bd
@ -2128,7 +2129,7 @@ shorthand for labeling the different kernel checks.
Since Linux 4.5,
.\" commit caaee6234d05a58c5b4d05e7bf766131b810a657
the above access mode checks are be combined (ORed) with
the above access mode checks are combined (ORed) with
one of the following modifiers:
.TP
.B PTRACE_MODE_FSCREDS
@ -2214,7 +2215,7 @@ The kernel LSM
.IR security_ptrace_access_check ()
interface is invoked to see if ptrace access is permitted.
The results depend on the LSM.
The implementation of this interface in the default LSM performs
The implementation of this interface in the commoncap LSM performs
the following steps:
.\" (in cap_ptrace_access_check()):
.RS
@ -2246,7 +2247,7 @@ The caller has the
capability in the target process's user namespace.
.RE
.IP
Note that the default LSM does not distinguish between
Note that the commoncap LSM does not distinguish between
.B PTRACE_MODE_READ
and
.BR PTRACE_MODE_ATTACH .