Hello Alexey, On 6/17/19 10:23 PM, Alexey Izbyshev wrote: > Hello, Michael! > > I've noticed a small bug in ptrace(2) man page at NOTES -> Ptrace access > mode checking -> 5(b): > > b) Deny access if neither of the following is true: > > · The caller and the target process are in the same user > namespace, and the caller's capabilities are a proper > superset of the target process's permitted capabilities. > > · The caller has the CAP_SYS_PTRACE capability in the > target > process's user namespace. > > The usage of "*proper* superset" seems wrong because (a) it'd deny > access in a common case when both the caller and the target have the > same capabilities and (b) it doesn't correspond to the kernel code, > which checks for a non-strict superset[1]. > > I believe that "proper superset" should be replaced with just > "superset". Yes. My mistake. Thanks for the report. Fixed now. > [1] > https://elixir.bootlin.com/linux/v5.1.11/source/security/commoncap.c#L152 > > Thanks for your great work on the man pages! You're welcome! Thanks, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/
