Quoting Oren Laadan (orenl@xxxxxxxxxxxxxxx):
> Security modules distinguish reading of process state (via proc) from
> full ptrace access using the access mode: PTRACE_MODE_{READ,ATTACH}.
>
> Read access to /proc/pid/mem requires a full ptrace attach (for more
> details, see: http://lwn.net/Articles/282930/).
>
> Checkpoint needs access to full process state, including memory, so
> we require PTRACE_MODE_ATTACH.
>
> Signed-off-by: Oren Laadan <orenl@xxxxxxxxxxxxxxx>
Acked-by: Serge Hallyn <serue@xxxxxxxxxx>
thanks,
-serge
> ---
> checkpoint/checkpoint.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/checkpoint/checkpoint.c b/checkpoint/checkpoint.c
> index 325dfa3..7b141e3 100644
> --- a/checkpoint/checkpoint.c
> +++ b/checkpoint/checkpoint.c
> @@ -296,7 +296,7 @@ static int may_checkpoint_task(struct ckpt_ctx *ctx, struct task_struct *t)
> return -EAGAIN;
> }
>
> - if (!ptrace_may_access(t, PTRACE_MODE_READ)) {
> + if (!ptrace_may_access(t, PTRACE_MODE_ATTACH)) {
> __ckpt_write_err(ctx, "access to task %d (%s) denied",
> task_pid_vnr(t), t->comm);
> return -EPERM;
> --
> 1.6.0.4
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
