Re: [PATCH] exec: Weaken dumpability for secureexec

From: Tom Horsley
Date: Wed Jan 03 2018 - 14:08:22 EST

Next message: Andy Shevchenko: "Re: [PATCH v3] gpio: winbond: add driver"
Previous message: Jaegeuk Kim: "Re: [f2fs-dev] [PATCH v5] f2fs: add reserved blocks for root user"
In reply to: Serge E. Hallyn: "Re: [PATCH] exec: Weaken dumpability for secureexec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 3 Jan 2018 09:21:16 -0800
Kees Cook wrote:

> The more interesting thing here is that secureexec is set for a
> process that ISN'T actually setuid. (ptrace of a setuid process). I
> think tha'ts the real bug, but not something I'm going to be able to
> fix quickly. So, for now, I want to revert this, then try to fix the
> weird case, and see if that breaks anyone, then fix this back to
> secureexec.

Certainly a program file that has capabilities attached to it
via "setcap" is intended to be treated just like setuid if
the capabilities it has are a superset of the capabilities
of the debugger. (I don't know if that is a useful info in this
case, but I thought I'd mention it :-).

Next message: Andy Shevchenko: "Re: [PATCH v3] gpio: winbond: add driver"
Previous message: Jaegeuk Kim: "Re: [f2fs-dev] [PATCH v5] f2fs: add reserved blocks for root user"
In reply to: Serge E. Hallyn: "Re: [PATCH] exec: Weaken dumpability for secureexec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]