• Lukasz Pawelczyk's avatar
    Smack: unify all ptrace accesses in the smack · 5663884c
    Lukasz Pawelczyk authored
    The decision whether we can trace a process is made in the following
    functions:
    	smack_ptrace_traceme()
    	smack_ptrace_access_check()
    	smack_bprm_set_creds() (in case the proces is traced)
    
    This patch unifies all those decisions by introducing one function that
    checks whether ptrace is allowed: smk_ptrace_rule_check().
    
    This makes possible to actually trace with TRACEME where first the
    TRACEME itself must be allowed and then exec() on a traced process.
    
    Additional bugs fixed:
    - The decision is made according to the mode parameter that is now correctly
      translated from PTRACE_MODE_* to MAY_* instead of being treated 1:1.
      PTRACE_MODE_READ requires MAY_READ.
      PTRACE_MODE_ATTACH requires MAY_READWRITE.
    - Add a smack audit log in case of exec() refused by bprm_set_creds().
    - Honor the PTRACE_MODE_NOAUDIT flag and don't put smack audit info
      in case this flag is set.
    Signed-off-by: default avatarLukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
    Signed-off-by: default avatarRafal Krypa <r.krypa@samsung.com>
    5663884c
smack_lsm.c 93 KB