Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Jun 2011 19:50:58 +0400
From: Vasiliy Kulikov <>
To: Eric Paris <>
	" Stephen Smalley" <>,
	James Morris <>,
	Eric Paris <>,
	John Johansen <>,
Subject: Re: [RFC v1] security: introduce ptrace_task_access_check()

On Fri, Jun 17, 2011 at 11:43 -0400, Eric Paris wrote:
> >Please help me to figure out how such patch should be divided to be
> >applied.  I think about such scheme:
> >
> >1) add generic security/* functions.
> >2-4) add ptrace_task_access_check() for SMACK, AppArmor and SELinux.
> >5) change ptrace_access_check() in security ops and all LSMs to
> >     ptrace_task_access_check().
> >
> >But I'd like to hear maintainers' oppinions not to put useless efforts.
> Not a real review, but I didn't instantly grok the need for the new
> cap functions.

It is needed because of capable(CAP_SYS_PTRACE) and similar inside of
ptrace_may_access() implementations.

>  So maybe that's it's own patch with it's own change
> log.  After that you should just add the 'parent' task to
> ptrace_access_check() and fix all of the LSMs to handle the new
> semantics at once.  No need to rename the function or do a bunch of
> seperate patchs.

I thought it would represent function's semantic changes more strongly.

>  All of us LSM authors can just ACK our little part
> and James can take the patch when everyone has their say.  I think
> that will make history the cleanest.....

Great!  It would be much simple for me too :)


Vasiliy Kulikov - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.