Using ptrace(2) and related debug features on a target process can lead
to a privilege escalation. Indeed, ptrace(2) can be used by an attacker
to impersonate another task and to remain undetected while performing
malicious activities. Thanks to ptrace_may_access(), various part of
the kernel can check if a tracer is more privileged than a tracee.
A landlocked process has fewer privileges than a non-landlocked process
and must then be subject to additional restrictions when manipulating
processes. To be allowed to use ptrace(2) and related syscalls on a
target process, a landlocked process must have a subset of the target
process's rules (i.e. the tracee must be in a sub-domain of the tracer).
Cc: James Morris <email@example.com>
Signed-off-by: Mickaël Salaün <firstname.lastname@example.org>
Reviewed-by: Jann Horn <email@example.com>
Acked-by: Serge Hallyn <firstname.lastname@example.org>
Reviewed-by: Kees Cook <email@example.com>
Signed-off-by: James Morris <firstname.lastname@example.org>