On Thu, Sep 25, 2025 at 11:17:05AM -0400, Jonathon Reinhart wrote:

Hi Alex,

Hi Jonathon,

On Thu, Sep 25, 2025 at 7:35 AM Alejandro Colomar [off-list ref] wrote:

quoted

Hi Jonathon,

On Wed, Sep 24, 2025 at 03:23:13PM +0000, Jonathon Reinhart wrote:

quoted

CAP_SYS_PTRACE is required (via ptrace_may_access) for accessing various
things in /proc, so include it in the CAP_SYS_PTRACE bullet list.

Was it always needed?  Or when did this change?  Could you please
provide links to the relevant commits or source code (or any other
useful source of information)?

From what I can tell, these ptrace-associated restrictions on /proc have
existed in some capacity ~forever.

Even in the initial git commit (1da177e4c3f4 Linux-2.6.12-rc2), accesses
to /proc/<pid>/{mem, environ} check may_ptrace_attach() which calls
capable(CAP_SYS_PTRACE).

The affected set of files in /proc and the exact semantics have changed
over the years, but the general restriction has, AFAICT, always been there.

A few more notes from my archaeological dig:

The relevant functions have used different names (ptrace_may_access,
ptrace_may_attach, may_ptrace_attach, MAY_PTRACE).

Here are some relevant commits:

006ebb40d3d6 Security: split proc ptrace checking into read vs. attach
831830b5a2b5 restrict reading from /proc/<pid>/maps to those who share
->mm or can ptrace pid
5096add84b9e proc: maps protection
df26c40e5673 [PATCH] proc: Cleanup proc_fd_access_allowed
778c1144771f [PATCH] proc: Use sane permission checks on the
/proc/<pid>/fd/ symlinks
1da177e4c3f4 Linux-2.6.12-rc2

I could include this in the commit message if you'd like, but after
digging through this, I'm not sure it would really add much value.

Thanks!  I've kept it out of the commit message.  Since it refers to the
mailing list Message-ID, having it in this thread should be okay.
I've applied the patch.


Have a lovely day!
Alex

-- 
<https://www.alejandro-colomar.es>
Use port 80 (that is, <...:80/>).