Re: Documenting ptrace access mode checking

From: Kees Cook
Date: Fri Jun 24 2016 - 16:07:23 EST


On Fri, Jun 24, 2016 at 8:18 AM, Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
> On 6/24/2016 1:40 AM, Michael Kerrisk (man-pages) wrote:
>> So, I just want to check my understanding of a couple of points:
>>
>> 1. The commoncap LSM is invoked first, and if it denies access,
>> then no further LSM is/needs to be called.
>
> Yes. The LSM infrastructure is "bail on fail".
>
>>
>> 2. Is it the case that only one of the other LSMs (SELinux, Yama,
>> AppArmor, etc.) is invoked, or can more than one be invoked.
>> I thought only one is invoked, but perhaps I am out of date
>> in my understanding.
>
> All registered modules are invoked, but only one "major"
> module can be registered. The "minor" modules show up in
> security_init, while the majors come in via do_security_initcalls.

Just to fill in the history: prior the the recent LSM stacking changes
(v4.2), commoncap (which is effectively an LSM) was hard-coded to be
stacked with the single selected primary LSM. Then Yama got hard-coded
stacked with the primary LSM too, and then Casey saved us from total
insanity by providing a proper way to stack LSMs.

-Kees

--
Kees Cook
Chrome OS & Brillo Security