>> +int suspend_seccomp(struct task_struct *task)
>> +{
>> + int ret = -EACCES;
>> +
>> + spin_lock_irq(&task->sighand->siglock);
>> +
>> + if (!capable(CAP_SYS_ADMIN))
>> + goto out;
>
> I am puzzled ;) Why do we need ->siglock? And even if we need it, why
> we can't check CAP_SYS_ADMIN lockless?
>
> And I am not sure I understand why do we need the additional security
> check, but I leave this to you and Andy.
>
> If you have the rights to trace this task, then you can do anything
> the tracee could do without the filtering.
I think _this_ check is required, otherwise the seccomp-ed task (in
filtered mode) fork-s a child, then this child ptrace-attach to parent
(allowed) then suspend its seccomd. And -- we have unpriviledged process
de-seccomped.
-- Pavel
--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
