On Tue, 2018-10-02 at 13:52 -0700, Matthew Wilcox wrote: > On Tue, Oct 02, 2018 at 10:47:23PM +0200, Yves-Alexis Perez wrote: > > Current phrasing is ambiguous since it's unclear if attaching to a > > children through PTRACE_TRACEME requires CAP_SYS_PTRACE. Rephrase the > > sentence to make that clear. > > I disagree that your sentence makes that clear. How about: > > > 2 - admin-only attach: > > - only processes with ``CAP_SYS_PTRACE`` may use ptrace > > - with ``PTRACE_ATTACH``, or through children calling > > ``PTRACE_TRACEME``. > > + only processes with ``CAP_SYS_PTRACE`` may use ptrace, either with > > + ``PTRACE_ATTACH`` or through children calling ``PTRACE_TRACEME``. > > + only processes with ``CAP_SYS_PTRACE`` may use ptrace. This > + restricts both ``PTRACE_ATTACH`` and ``PTRACE_TRACEME``. Hi Matthew, I'm no native speaker, both versions are fine by me but I liked keeping the “children calling” part since the semantics are quite different for PTRACE_ATTACH and PTRACE_TRACEME. Regards, -- Yves-Alexis
