On Tue, Oct 2, 2018 at 1:52 PM, Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote: > On Tue, Oct 02, 2018 at 10:47:23PM +0200, Yves-Alexis Perez wrote: >> Current phrasing is ambiguous since it's unclear if attaching to a >> children through PTRACE_TRACEME requires CAP_SYS_PTRACE. Rephrase the >> sentence to make that clear. > > I disagree that your sentence makes that clear. How about: > >> 2 - admin-only attach: >> - only processes with ``CAP_SYS_PTRACE`` may use ptrace >> - with ``PTRACE_ATTACH``, or through children calling ``PTRACE_TRACEME``. >> + only processes with ``CAP_SYS_PTRACE`` may use ptrace, either with >> + ``PTRACE_ATTACH`` or through children calling ``PTRACE_TRACEME``. > > + only processes with ``CAP_SYS_PTRACE`` may use ptrace. This > + restricts both ``PTRACE_ATTACH`` and ``PTRACE_TRACEME``. PTRACE_TRACEME is done by the child, not the process with CAP_SYS_PTRACE, so I still think the Yves-Alexis's is clearer. But if other agree, I'm fine with it. :) -Kees -- Kees Cook Pixel Security
