Mike Waychison wrote:
> > 1. Deny access to /proc/NNN/fd/, /proc/NNN/cwd, /proc/NNN/root
> > if task NNN cannot be ptraced.
> >
> > 3. Allow entry to /proc/NNN/fd/, /proc/NNN/cwd, /proc/NNN/root
> > if ptrace is allowed; the namespace being irrelevant.
> >
> > 3. Use _exactly_ the same condition as for ptracing,
> > i.e. MAY_PTRACE in fs/proc/base.c. Ensure that condition is
> > consistent with the tests in kernel/ptrace.c, possibly putting
> > the condition in a common header file to keep it consistent in
> > future.
> >
> > 4. If further restrictions are desired, to make namespaces more
> > strict, those should be implemented by further restrictions on
> > which tasks are allowed to ptrace other tasks.
> >
>
> Indeed. A combination of MAY_PTRACE ||ed with a check against current
> sounds reasonable to me.
Note that MAY_PTRACE already includes a check against current.
-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]