From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751636AbcFUVK4 (ORCPT ); Tue, 21 Jun 2016 17:10:56 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:37275 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750998AbcFUVKv convert rfc822-to-8bit (ORCPT ); Tue, 21 Jun 2016 17:10:51 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Kees Cook Cc: "Michael Kerrisk \(man-pages\)" , Jann Horn , James Morris , linux-man , Stephen Smalley , lkml , linux-security-module , Linux API , Oleg Nesterov References: <87ziqewc3r.fsf@x220.int.ebiederm.org> Date: Tue, 21 Jun 2016 15:58:39 -0500 In-Reply-To: (Kees Cook's message of "Tue, 21 Jun 2016 13:29:32 -0700") Message-ID: <878txyuum8.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-XM-SPF: eid=1bFSwZ-00016b-KL;;;mid=<878txyuum8.fsf@x220.int.ebiederm.org>;;;hst=in02.mta.xmission.com;;;ip=67.3.204.119;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18p8NeVJxfjht4wRKlj93nrUgM35hfyFeY= X-SA-Exim-Connect-IP: 67.3.204.119 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa02 1397; Body=1 Fuz1=1 Fuz2=1] * 0.2 T_XMDrugObfuBody_14 obfuscated drug references * 0.1 XMSolicitRefs_0 Weightloss drug X-Spam-DCC: XMission; sa02 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Kees Cook X-Spam-Relay-Country: X-Spam-Timing: total 935 ms - load_scoreonly_sql: 0.09 (0.0%), signal_user_changed: 15 (1.6%), b_tie_ro: 13 (1.4%), parse: 1.39 (0.1%), extract_message_metadata: 93 (10.0%), get_uri_detail_list: 2.6 (0.3%), tests_pri_-1000: 27 (2.9%), tests_pri_-950: 2.4 (0.3%), tests_pri_-900: 1.85 (0.2%), tests_pri_-400: 54 (5.7%), check_bayes: 51 (5.5%), b_tokenize: 11 (1.2%), b_tok_get_all: 19 (2.1%), b_comp_prob: 4.4 (0.5%), b_tok_touch_all: 3.1 (0.3%), b_finish: 1.07 (0.1%), tests_pri_0: 714 (76.4%), check_dkim_signature: 1.04 (0.1%), check_dkim_adsp: 12 (1.3%), tests_pri_500: 8 (0.9%), rewrite_mail: 0.00 (0.0%) Subject: Re: Documenting ptrace access mode checking X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Kees Cook writes: > On Tue, Jun 21, 2016 at 12:55 PM, Eric W. Biederman > wrote: > >> "Michael Kerrisk (man-pages)" writes: >> >>> The algorithm employed for ptrace access mode checking deter‐ >>> mines whether the calling process is allowed to perform the >>> corresponding action on the target process, as follows: >>> >>> 1. If the calling thread and the target thread are in the same >>> thread group, access is always allowed. >> >> This test only exsits because the LSMs historically and I suspect >> continue to be broken and deny a process the ability to ptrace itself. > > Well, it's not that the LSMs are broken, it's that self-inspection is > a short-circuited "allow". The LSMs aren't involved. Long ago and far away. I modified /proc/self/something to use the same permissions as ptrace. This broken everyone's selinux setups. So the short circuit was added. Or in short the LSMs aren't involved because they got it wrong. If the selinux breakage was not in the selinux rules that are loaded from userspace but in the kernel module that short circuit check would have been confined to selinux. I have had an occasional thought and the occassional discussion about removing that check and just fixing the LSMs but at this point I don't think anyone cares enough to make that change. Eric