[PATCH v5 2/5] Smack: Prepare for PTRACE_MODE_SCHED

[PATCH v5 0/5] LSM: Support ptrace sidechannel access checks · Casey Schaufler <hidden> · 2018-09-26
[PATCH v5 2/5] Smack: Prepare for PTRACE_MODE_SCHED · Casey Schaufler <hidden> · 2018-09-26
Re: [PATCH v5 2/5] Smack: Prepare for PTRACE_MODE_SCHED · Jann Horn <jannh@google.com> · 2018-09-26
RE: [PATCH v5 2/5] Smack: Prepare for PTRACE_MODE_SCHED · Schaufler, Casey <hidden> · 2018-09-26
Re: [PATCH v5 2/5] Smack: Prepare for PTRACE_MODE_SCHED · Jann Horn <jannh@google.com> · 2018-09-26
Re: [PATCH v5 2/5] Smack: Prepare for PTRACE_MODE_SCHED · Jiri Kosina <jikos@kernel.org> · 2018-10-04
Re: [PATCH v5 2/5] Smack: Prepare for PTRACE_MODE_SCHED · Jann Horn <jannh@google.com> · 2018-10-04
Re: [PATCH v5 2/5] Smack: Prepare for PTRACE_MODE_SCHED · Jiri Kosina <jikos@kernel.org> · 2018-10-16
[PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel · Casey Schaufler <hidden> · 2018-09-26
Re: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel · James Morris <jmorris@namei.org> · 2018-09-27
Re: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel · Casey Schaufler <casey@schaufler-ca.com> · 2018-09-27
Re: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel · James Morris <jmorris@namei.org> · 2018-09-27
RE: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel · Schaufler, Casey <hidden> · 2018-09-27
RE: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel · James Morris <jmorris@namei.org> · 2018-09-27
Re: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel · Jann Horn <jannh@google.com> · 2018-09-27
Re: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel · James Morris <jmorris@namei.org> · 2018-09-28
RE: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel · Schaufler, Casey <hidden> · 2018-09-28
[PATCH v5 3/5] SELinux: Prepare for PTRACE_MODE_SCHED · Casey Schaufler <hidden> · 2018-09-26
Re: [PATCH v5 3/5] SELinux: Prepare for PTRACE_MODE_SCHED · Stephen Smalley <hidden> · 2018-09-27
RE: [PATCH v5 3/5] SELinux: Prepare for PTRACE_MODE_SCHED · Schaufler, Casey <hidden> · 2018-09-27
[PATCH v5 1/5] AppArmor: Prepare for PTRACE_MODE_SCHED · Casey Schaufler <hidden> · 2018-09-26
Re: [PATCH v5 1/5] AppArmor: Prepare for PTRACE_MODE_SCHED · Jann Horn <jannh@google.com> · 2018-09-26
Re: [PATCH v5 1/5] AppArmor: Prepare for PTRACE_MODE_SCHED · Jann Horn <jannh@google.com> · 2018-09-26
RE: [PATCH v5 1/5] AppArmor: Prepare for PTRACE_MODE_SCHED · Schaufler, Casey <hidden> · 2018-09-26
[PATCH v5 4/5] Capability: Complete PTRACE_MODE_SCHED · Casey Schaufler <hidden> · 2018-09-26
Re: [PATCH v5 4/5] Capability: Complete PTRACE_MODE_SCHED · Jann Horn <jannh@google.com> · 2018-09-26
RE: [PATCH v5 4/5] Capability: Complete PTRACE_MODE_SCHED · Schaufler, Casey <hidden> · 2018-09-26

From: jannh@google.com (Jann Horn)
Date: 2018-09-26 21:31:04
Also in: lkml, selinux

On Wed, Sep 26, 2018 at 10:35 PM Casey Schaufler
[off-list ref] wrote:

quoted hunk ↗ jump to hunk

A ptrace access check with mode PTRACE_MODE_SCHED gets called
from process switching code. This precludes the use of audit,
as the locking is incompatible. Don't do audit in the PTRACE_MODE_SCHED
case.

Signed-off-by: Casey Schaufler <redacted>
---
 security/smack/smack_lsm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 340fc30ad85d..ffa95bcab599 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c

@@ -422,7 +422,8 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
        struct task_smack *tsp;
        struct smack_known *tracer_known;

-       if ((mode & PTRACE_MODE_NOAUDIT) == 0) {
+       if ((mode & PTRACE_MODE_NOAUDIT) == 0 &&
+           (mode & PTRACE_MODE_SCHED) == 0) {

If you ORed PTRACE_MODE_NOAUDIT into the flags when calling the
security hook, you could drop this patch, right?

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help