Re: [PATCH] yama: clarify ptrace_scope=2 in Yama documentation

From: Yves-Alexis Perez
Date: Sun Oct 07 2018 - 04:54:53 EST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, 2018-10-02 at 23:08 +0200, Yves-Alexis Perez wrote:
> On Tue, 2018-10-02 at 13:52 -0700, Matthew Wilcox wrote:
> > On Tue, Oct 02, 2018 at 10:47:23PM +0200, Yves-Alexis Perez wrote:
> > > Current phrasing is ambiguous since it's unclear if attaching to a
> > > children through PTRACE_TRACEME requires CAP_SYS_PTRACE. Rephrase the
> > > sentence to make that clear.
> >
> > I disagree that your sentence makes that clear. How about:
> >
> > > 2 - admin-only attach:
> > > - only processes with ``CAP_SYS_PTRACE`` may use ptrace
> > > - with ``PTRACE_ATTACH``, or through children calling
> > > ``PTRACE_TRACEME``.
> > > + only processes with ``CAP_SYS_PTRACE`` may use ptrace, either with
> > > + ``PTRACE_ATTACH`` or through children calling ``PTRACE_TRACEME``.
> >
> > + only processes with ``CAP_SYS_PTRACE`` may use ptrace. This
> > + restricts both ``PTRACE_ATTACH`` and ``PTRACE_TRACEME``.
>
> Hi Matthew,
>
> I'm no native speaker, both versions are fine by me but I liked keeping the
> âchildren callingâ part since the semantics are quite different for
> PTRACE_ATTACH and PTRACE_TRACEME.
>
Hi Kees, Matthew,

so what's the status on this? Who needs to acknowledge one wording or another?

Regards,
- --
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlu5ydIACgkQ3rYcyPpX
RFt7oAgAued/FsFiGvk6U/RG3JEj5p5aRu6harAXqK/Mw8n1gEu0nGvZvFJn31eY
fcU8quTtbmiNR2oYrAxjri2dhVd2JLsKDZU1bhpcKk33jDOzhUjeKnJgLGY38Z01
5idfKSy0CEZ0FvYvpt7gOm3loFlbM0au9JgFszVwFM8Yartr5vH1mPlZUwGbrroH
RORqAkwVI+g8iK1vqq9fdCf9J5mwcYu0DR8STvP8Nx12zEDNeiCShvXDNNt5VKg3
BHVNPHvE8uKaZmlyYt1oy9ZKjjcHn6veVkKEKFRz/TVc+q/Z7G1cORzVb7GzIPGj
9GoIZP2+Wi+7KUqUYQnHZSfujd5BzQ==
=jfBM
-----END PGP SIGNATURE-----