Smack: wrong-looking capable() check in smk_ptrace_rule_check()
Jann Horn
jannh at google.com
Thu Sep 6 18:22:35 UTC 2018
Hi!
I noticed the following check in smk_ptrace_rule_check():
if (tracer_known->smk_known == tracee_known->smk_known)
rc = 0;
else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
rc = -EACCES;
else if (capable(CAP_SYS_PTRACE))
rc = 0;
else
rc = -EACCES;
Note that smk_ptrace_rule_check() can be called from not just
smack_ptrace_access_check() and smack_ptrace_traceme(), but also
smack_bprm_set_creds(). AFAICS this means that if a task executes with
a smack privilege transition and smack_ptrace_rule is
SMACK_PTRACE_EXACT, whether the execution is permitted depends on
whether _the debugged task_ has CAP_SYS_PTRACE (and not on whether the
debugger has that capability).
This seems like it's probably unintentional?
More information about the Linux-security-module-archive
mailing list