mirror of https://github.com/mkerrisk/man-pages
ptrace.2: Note that user namespaces can be used to bypass Yama protections
Cowrittten-by: Jann Horn <jann@thejh.net> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
801245a110
commit
d5765e275d
|
@ -2352,8 +2352,10 @@ is unchanged.
|
|||
1 ("restricted ptrace") [default value]
|
||||
When performing an operation that requires a
|
||||
.BR PTRACE_MODE_ATTACH
|
||||
check, the calling process must have a predefined relationship
|
||||
with the target process.
|
||||
check, the calling process must either have the
|
||||
.B CAP_SYS_PTRACE
|
||||
capability in the user namespace of the target process or
|
||||
it have a predefined relationship with the target process.
|
||||
By default,
|
||||
the predefined relationship is that the target process
|
||||
must be a child of the caller.
|
||||
|
@ -2375,7 +2377,7 @@ is unchanged.
|
|||
2 ("admin-only attach")
|
||||
Only processes with the
|
||||
.B CAP_SYS_PTRACE
|
||||
capability may perform
|
||||
capability in the user namespace of the target process may perform
|
||||
.BR PTRACE_MODE_ATTACH
|
||||
operations or trace children that employ
|
||||
.BR PTRACE_TRACEME .
|
||||
|
@ -2387,6 +2389,14 @@ operations or trace children that employ
|
|||
.BR PTRACE_TRACEME .
|
||||
|
||||
Once this value has been written to the file, it cannot be changed.
|
||||
.PP
|
||||
With respect to values 1 and 2,
|
||||
note that creating a user namespace effectively removes the Yama protection,
|
||||
because the owner of a namespace, when accessing its members from outside, has
|
||||
.BR CAP_SYS_PTRACE
|
||||
within the namespace.
|
||||
This means that when a process tries to use namespaces to sandbox
|
||||
itself, it inadvertently weakens the protections offered by the Yama LSM.
|
||||
.\"
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.\"
|
||||
|
|
Loading…
Reference in New Issue