Yama: higher restrictions should block PTRACE_TRACEME

commit 9d8dad742ad1c74d7e7210ee05d0b44961d5ea16 upstream. The higher ptrace restriction levels should be blocking even PTRACE_TRACEME requests. The comments in the LSM documentation are misleading about when the checks happen (the parent does not go through security_ptrace_access_check() on a PTRACE_TRACEME call). Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Kees Cook <keescook@chromium.org> 2012-08-09 19:01:26 -0700
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-08-15 07:53:04 -0700
commit: c7d190158502024773de8bc4822fbd737a2bb9d0 (patch)
tree: 744473883208441ab2a151191add76cdfe15db91 /include
parent: d534db404b17a81f1edbe10de0f1b67f1813d427 (diff)
1 files changed, 0 insertions, 2 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 4e5a73cdbbe..3dea6a9d568 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1242,8 +1242,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	Check that the @parent process has sufficient permission to trace the
  *	current process before allowing the current process to present itself
  *	to the @parent process for tracing.
- *	The parent process will still have to undergo the ptrace_access_check
- *	checks before it is allowed to trace this one.
  *	@parent contains the task_struct structure for debugger process.
  *	Return 0 if permission is granted.
  * @capget:
author	Kees Cook <keescook@chromium.org>	2012-08-09 19:01:26 -0700
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2012-08-15 07:53:04 -0700
commit	c7d190158502024773de8bc4822fbd737a2bb9d0 (patch)
tree	744473883208441ab2a151191add76cdfe15db91 /include
parent	d534db404b17a81f1edbe10de0f1b67f1813d427 (diff)