[PATCH 0/6] utrace: security problems
Oleg Nesterov
oleg at redhat.com
Wed Jul 7 23:06:55 UTC 2010
On 07/07, Roland McGrath wrote:
>
> > > For exec transitions (set-id, file caps, selinux), I'd originally figured
> > > an engine's report_exec could check for changes and decide to detach itself
> > > if appropriate.
> >
> > No, it can't. At this point S_ISUID/S_ISGID exid's were already dropped,
> > or exec can fail before before tracehook_report_exec().
>
> If an exec fails, nothing changes and there is no security-relevant event
> to take notice of. I don't really follow your other comment. But ...
I meant, it can fail because selinux sees LSM_UNSAFE_PTRACE and cancells
exec. If we add ->report_security_check() callback or something, we can
detach the engines which doesn't pass the check.
> > The only question: do you think the trivial 1st patch is correct?
>
> The one that just adds a macro defined to another existing macro?
> Any change that preprocesses out to the same code is "correct", sure...
Well, sure.
The question was: am I right this is the only change we need to make
sure that task->utrace_flags will always have the ENGINE_EXTRA_FLAGS
bits from all engine->flag's ? OK, I think it is correct.
Oleg.
More information about the utrace-devel
mailing list