Re: Documenting ptrace access mode checking

From: Eric W. Biederman
Date: Tue Jun 21 2016 - 17:10:59 EST


Kees Cook <keescook@xxxxxxxxxxxx> writes:

> On Tue, Jun 21, 2016 at 12:55 PM, Eric W. Biederman
> <ebiederm@xxxxxxxxxxxx> wrote:
>
>> "Michael Kerrisk (man-pages)" <mtk.manpages@xxxxxxxxx> writes:
>>
>>> The algorithm employed for ptrace access mode checking deterâ
>>> mines whether the calling process is allowed to perform the
>>> corresponding action on the target process, as follows:
>>>
>>> 1. If the calling thread and the target thread are in the same
>>> thread group, access is always allowed.
>>
>> This test only exsits because the LSMs historically and I suspect
>> continue to be broken and deny a process the ability to ptrace itself.
>
> Well, it's not that the LSMs are broken, it's that self-inspection is
> a short-circuited "allow". The LSMs aren't involved.

Long ago and far away. I modified /proc/self/something to use the same
permissions as ptrace. This broken everyone's selinux setups. So the
short circuit was added.

Or in short the LSMs aren't involved because they got it wrong.

If the selinux breakage was not in the selinux rules that are loaded from
userspace but in the kernel module that short circuit check would have
been confined to selinux.

I have had an occasional thought and the occassional discussion about
removing that check and just fixing the LSMs but at this point I don't
think anyone cares enough to make that change.

Eric