Re: [PATCH 1/5] kcmp.2: note about SECURITY_YAMA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Shawn,

Can you supply more background on this patch. 

Looking at security/yama/yama_lsm.c:

[[
#define YAMA_SCOPE_DISABLED     0
#define YAMA_SCOPE_RELATIONAL   1
#define YAMA_SCOPE_CAPABILITY   2
#define YAMA_SCOPE_NO_ATTACH    3

static int ptrace_scope = YAMA_SCOPE_RELATIONAL;
]]

This suggests that your statement that the default value is 2 is incorrect,
but I may be missing something.

Cheers,

Michael


On 12/21/13 13:37, Shawn Landden wrote:
> Signed-off-by: Shawn Landden <shawn@xxxxxxxxxxxxxxx>
> ---
>  man2/kcmp.2 | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/man2/kcmp.2 b/man2/kcmp.2
> index 59dd4d1..c910ac2 100644
> --- a/man2/kcmp.2
> +++ b/man2/kcmp.2
> @@ -187,7 +187,12 @@ is invalid.
>  Insufficient permission to inspect process resources.
>  The
>  .B CAP_SYS_PTRACE
> -capability is required to inspect processes that you do not own.
> +capability is required to inspect processes that you do not own. Other
> +limitations on ptrace apply, such as
> +.BR CONFIG_SECURITY_YAMA ,
> +which when /proc/sys/kernel/yama/ptrace_scope is 2 (the default) limits
> +.BR kcmp()
> +to child processes.
>  .TP
>  .B ESRCH
>  Process
> 


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel Documentation]     [Netdev]     [Linux Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux