Re: [PATCH] yama: clarify ptrace_scope=2 in Yama documentation

From: Matthew Wilcox
Date: Tue Oct 02 2018 - 16:53:04 EST

Next message: Shuah Khan: "Re: [PATCH v3 1/2] selftests: gpio: restructure Makefile"
Previous message: Kees Cook: "Re: [PATCH] yama: clarify ptrace_scope=2 in Yama documentation"
In reply to: Jonathan Corbet: "Re: [PATCH] yama: clarify ptrace_scope=2 in Yama documentation"
Next in thread: Kees Cook: "Re: [PATCH] yama: clarify ptrace_scope=2 in Yama documentation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Oct 02, 2018 at 10:47:23PM +0200, Yves-Alexis Perez wrote:
> Current phrasing is ambiguous since it's unclear if attaching to a
> children through PTRACE_TRACEME requires CAP_SYS_PTRACE. Rephrase the
> sentence to make that clear.

I disagree that your sentence makes that clear. How about:

> 2 - admin-only attach:
> - only processes with ``CAP_SYS_PTRACE`` may use ptrace
> - with ``PTRACE_ATTACH``, or through children calling ``PTRACE_TRACEME``.
> + only processes with ``CAP_SYS_PTRACE`` may use ptrace, either with
> + ``PTRACE_ATTACH`` or through children calling ``PTRACE_TRACEME``.

+ only processes with ``CAP_SYS_PTRACE`` may use ptrace. This
+ restricts both ``PTRACE_ATTACH`` and ``PTRACE_TRACEME``.

Next message: Shuah Khan: "Re: [PATCH v3 1/2] selftests: gpio: restructure Makefile"
Previous message: Kees Cook: "Re: [PATCH] yama: clarify ptrace_scope=2 in Yama documentation"
In reply to: Jonathan Corbet: "Re: [PATCH] yama: clarify ptrace_scope=2 in Yama documentation"
Next in thread: Kees Cook: "Re: [PATCH] yama: clarify ptrace_scope=2 in Yama documentation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]