• Eric Paris's avatar
    ptrace: do not audit capability check when outputing /proc/pid/stat · 69f594a3
    Eric Paris authored
    Reading /proc/pid/stat of another process checks if one has ptrace permissions
    on that process.  If one does have permissions it outputs some data about the
    process which might have security and attack implications.  If the current
    task does not have ptrace permissions the read still works, but those fields
    are filled with inocuous (0) values.  Since this check and a subsequent denial
    is not a violation of the security policy we should not audit such denials.
    
    This can be quite useful to removing ptrace broadly across a system without
    flooding the logs when ps is run or something which harmlessly walks proc.
    Signed-off-by: default avatarEric Paris <eparis@redhat.com>
    Acked-by: default avatarSerge E. Hallyn <serge.hallyn@canonical.com>
    69f594a3
ptrace.c 26.7 KB