+Jiri

On Thu, Sep 27, 2018 at 12:54 AM Schaufler, Casey
[off-list ref] wrote:

quoted

-----Original Message-----
From: Jann Horn [mailto:jannh at google.com]
Sent: Wednesday, September 26, 2018 2:31 PM
To: Schaufler, Casey <redacted>
Cc: Kernel Hardening <redacted>; kernel list
[off-list ref]; linux-security-module <linux-security-
module at vger.kernel.org>; selinux at tycho.nsa.gov; Hansen, Dave
[off-list ref]; Dock, Deneen T [off-list ref];
kristen at linux.intel.com; Arjan van de Ven [off-list ref]
Subject: Re: [PATCH v5 2/5] Smack: Prepare for PTRACE_MODE_SCHED

On Wed, Sep 26, 2018 at 10:35 PM Casey Schaufler
[off-list ref] wrote:

quoted

A ptrace access check with mode PTRACE_MODE_SCHED gets called
from process switching code. This precludes the use of audit,
as the locking is incompatible. Don't do audit in the PTRACE_MODE_SCHED
case.

Signed-off-by: Casey Schaufler <redacted>
---
 security/smack/smack_lsm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 340fc30ad85d..ffa95bcab599 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c

@@ -422,7 +422,8 @@ static int smk_ptrace_rule_check(struct task_struct

*tracer,

quoted

        struct task_smack *tsp;
        struct smack_known *tracer_known;

-       if ((mode & PTRACE_MODE_NOAUDIT) == 0) {
+       if ((mode & PTRACE_MODE_NOAUDIT) == 0 &&
+           (mode & PTRACE_MODE_SCHED) == 0) {

If you ORed PTRACE_MODE_NOAUDIT into the flags when calling the
security hook, you could drop this patch, right?

Yes. Since the PTRACE_MODE_NOAUDIT was in PTRACE_MODE_IBPB
in Jiri's previous patch set and not in PTRACE_MODE_SCHED in this one
I assumed that there was a good reason for it.

Jiri, was there a good reason for it, and if so, what was it?