diff options
| author | Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com> | 2014-03-11 17:07:05 +0100 | 
|---|---|---|
| committer | Casey Schaufler <casey@schaufler-ca.com> | 2014-04-11 14:34:26 -0700 | 
| commit | 5663884caab166f87ab8c68ec7c62b1cce85a400 (patch) | |
| tree | a106c1314669cbe6809f2b327395f0d37167b10f /lib/cpu-notifier-error-inject.c | |
| parent | 959e6c7f1eee42f14d31755b1134f5615db1d9bc (diff) | |
Smack: unify all ptrace accesses in the smack
The decision whether we can trace a process is made in the following
functions:
	smack_ptrace_traceme()
	smack_ptrace_access_check()
	smack_bprm_set_creds() (in case the proces is traced)
This patch unifies all those decisions by introducing one function that
checks whether ptrace is allowed: smk_ptrace_rule_check().
This makes possible to actually trace with TRACEME where first the
TRACEME itself must be allowed and then exec() on a traced process.
Additional bugs fixed:
- The decision is made according to the mode parameter that is now correctly
  translated from PTRACE_MODE_* to MAY_* instead of being treated 1:1.
  PTRACE_MODE_READ requires MAY_READ.
  PTRACE_MODE_ATTACH requires MAY_READWRITE.
- Add a smack audit log in case of exec() refused by bprm_set_creds().
- Honor the PTRACE_MODE_NOAUDIT flag and don't put smack audit info
  in case this flag is set.
Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Diffstat (limited to 'lib/cpu-notifier-error-inject.c')
0 files changed, 0 insertions, 0 deletions
