Smack: wrong-looking capable() check in smk_ptrace_rule_check()

Jann Horn jannh at google.com
Thu Sep 6 18:22:35 UTC 2018


Hi!

I noticed the following check in smk_ptrace_rule_check():

                if (tracer_known->smk_known == tracee_known->smk_known)
                        rc = 0;
                else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
                        rc = -EACCES;
                else if (capable(CAP_SYS_PTRACE))
                        rc = 0;
                else
                        rc = -EACCES;

Note that smk_ptrace_rule_check() can be called from not just
smack_ptrace_access_check() and smack_ptrace_traceme(), but also
smack_bprm_set_creds(). AFAICS this means that if a task executes with
a smack privilege transition and smack_ptrace_rule is
SMACK_PTRACE_EXACT, whether the execution is permitted depends on
whether _the debugged task_ has CAP_SYS_PTRACE (and not on whether the
debugger has that capability).
This seems like it's probably unintentional?



More information about the Linux-security-module-archive mailing list