Smack: wrong-looking capable() check in smk_ptrace_rule_check()

From: Jann Horn
Date: Thu Sep 06 2018 - 14:23:05 EST

Next message: Moritz Fischer: "Re: [PATCH] dt-bindings: fpga: fix freeze controller compatible in region doc"
Previous message: Moritz Fischer: "Re: [PATCH v2 3/8] fpga: bridge: add devm_fpga_bridge_create"
Next in thread: Lukasz Pawelczyk: "Re: Fwd: Smack: wrong-looking capable() check in smk_ptrace_rule_check()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

I noticed the following check in smk_ptrace_rule_check():

if (tracer_known->smk_known == tracee_known->smk_known)
rc = 0;
else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
rc = -EACCES;
else if (capable(CAP_SYS_PTRACE))
rc = 0;
else
rc = -EACCES;

Note that smk_ptrace_rule_check() can be called from not just
smack_ptrace_access_check() and smack_ptrace_traceme(), but also
smack_bprm_set_creds(). AFAICS this means that if a task executes with
a smack privilege transition and smack_ptrace_rule is
SMACK_PTRACE_EXACT, whether the execution is permitted depends on
whether _the debugged task_ has CAP_SYS_PTRACE (and not on whether the
debugger has that capability).
This seems like it's probably unintentional?

Next message: Moritz Fischer: "Re: [PATCH] dt-bindings: fpga: fix freeze controller compatible in region doc"
Previous message: Moritz Fischer: "Re: [PATCH v2 3/8] fpga: bridge: add devm_fpga_bridge_create"
Next in thread: Lukasz Pawelczyk: "Re: Fwd: Smack: wrong-looking capable() check in smk_ptrace_rule_check()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]