On Wed, Jun 22, 2016 at 12:21 PM, Michael Kerrisk (man-pages) <mtk.manpages@xxxxxxxxx> wrote: > On 06/21/2016 10:55 PM, Jann Horn wrote: >> On Tue, Jun 21, 2016 at 11:41:16AM +0200, Michael Kerrisk (man-pages) >> wrote: >>> 5. The kernel LSM security_ptrace_access_check() interface is >>> invoked to see if ptrace access is permitted. The results >>> depend on the LSM. The implementation of this interface in >>> the default LSM performs the following steps: >> >> >> For people who are unaware of how the LSM API works, it might be good to >> clarify that the commoncap LSM is *always* invoked; otherwise, it might >> give the impression that using another LSM would replace it. > > > As we can see, I am one of those who are unaware of how the LSM API > works :-/. > >> (Also, are there other documents that refer to it as "default LSM"? I >> think that that term is slightly confusing.) > > > No, that's a terminological confusion of my own making. Fixed now. > > I changed this text to: > > Various parts of the kernel-user-space API (not just ptrace(2) > operations), require so-called "ptrace access mode permissions" > which are gated by any enabled Linux Security Module (LSMs)—for > example, SELinux, Yama, or Smack—and by the the commoncap LSM > (which is always invoked). Prior to Linux 2.6.27, all such > checks were of a single type. Since Linux 2.6.27, two access > mode levels are distinguished: > > BTW, can you point me at the piece(s) of kernel code that show that > "commoncap" is always invoked in addition to any other LSM that has > been installed? It's not entirely obvious, but the bottom of security/commoncap.c shows: #ifdef CONFIG_SECURITY struct security_hook_list capability_hooks[] = { LSM_HOOK_INIT(capable, cap_capable), ... }; void __init capability_add_hooks(void) { security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks)); } #endif And security/security.c shows the initialization order of the LSMs: int __init security_init(void) { pr_info("Security Framework initialized\n"); /* * Load minor LSMs, with the capability module always first. */ capability_add_hooks(); yama_add_hooks(); loadpin_add_hooks(); /* * Load all the remaining security modules. */ do_security_initcalls(); return 0; } -Kees -- Kees Cook Chrome OS & Brillo Security -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html