Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1256117imm; Wed, 26 Sep 2018 14:32:49 -0700 (PDT) X-Google-Smtp-Source: ACcGV63JJTmsjmqH8fnpsCJuaJCGywBnbOTx4SiB1waMPFD3jd8/92/neIwhnqn8vR27XzTKbV6Y X-Received: by 2002:a17:902:7001:: with SMTP id y1-v6mr7842729plk.259.1537997569248; Wed, 26 Sep 2018 14:32:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537997569; cv=none; d=google.com; s=arc-20160816; b=rcXpHhsqfdqDp2UU+9cAWrnNEmqr7UdcGPb00AIMuslD4uFcW2P2TWA0lVe02b9wdo uvYbx4Q5hR3xryONB82hqGk5aWh6tuRinJtFHDC405c5NYBg3rdg4/AllWUXTy4KLYFp PfnEePA6jlkaQAFRBuNoio9BblDktgOzeTn5FierCfabm+GYDb5eXkyIKnWh/zNP262e KqKqeKcZ/KsGIQZtEDFe59z5lyL64NQwk90Mf9Fmfbj3bVkr+D+c+LQORfCtBwpar1md Rwy0C19tJLbCwQjovZnJSxbEIV2CCeJ8JiYO5r9dsSmAKQYw5WkAOYjVKEnwxmqJdAwV gMxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=fDmMp5ROO1w3cDSGWlW7MThzTA4BjePAwlxq+IdgWX0=; b=y6Da/7WxC5U4ztFfyzWqAT+HY+TiyfQQCt9Mrb64y+dHaCiPUORHq/AGINCriiwe+N b1JgHTycuVd/El1BSRjH4HegGhMMJEMZyJ5Ugwo43VUdqx3LW8UTy6eSWIvJWOkNjSbJ 1750r6dFoUDvuYEukLYdbEPz3VrK55Z+ucut4gkGguwBJmeqHJbMwIHXz1bqcEFBLJXy LPvJKIk3ycNJVLFqd2lqCbvGqmBCC94WKt3UitX9maqIo0eAzDC/rPVPCIfIn4WLYm9b n5Lsq5tYW6k8hPntp84fEEFFiN/vWTtSjmf2XxRgu9ETMAZ59PK7wwVnMvaupkRhuBBT YvnA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="S5HP7J/C"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t2-v6si73639plr.497.2018.09.26.14.32.33; Wed, 26 Sep 2018 14:32:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="S5HP7J/C"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727057AbeI0Dp4 (ORCPT + 99 others); Wed, 26 Sep 2018 23:45:56 -0400 Received: from mail-oi1-f194.google.com ([209.85.167.194]:39640 "EHLO mail-oi1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726957AbeI0Dp4 (ORCPT ); Wed, 26 Sep 2018 23:45:56 -0400 Received: by mail-oi1-f194.google.com with SMTP id y81-v6so404871oia.6 for ; Wed, 26 Sep 2018 14:31:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fDmMp5ROO1w3cDSGWlW7MThzTA4BjePAwlxq+IdgWX0=; b=S5HP7J/CjmE/azDjx+XAL4fxL9yK4Qp0oimKSWs0bpviQdbAEz+7DhVYBadXde43nZ KlkKDi4Q92dyMQOqUhsfNPaTuU4mUi78mC+zGFTzLhuWL5OPS7JKo+KF8iyaHfS1X6/N wipVQQ5RBZg3MRqFRCo8Hnk11fM0QkXi+xgbSIroW95vT8QuIYPSFSMx5dtaLOX3kh70 j8zCBGnwRpoO2uwTvxBPyB0dSJpeTUiPv/7jhhk4fgvbu55NOxDXw/z6l++NwuOwlSdg 7EvNxULz2h7XMQwbWfzIsX0ivk/hnPc5i2pqC3eTLmYMRXlFb3T7PJJ8A9UBRtjRe4sj 3O7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fDmMp5ROO1w3cDSGWlW7MThzTA4BjePAwlxq+IdgWX0=; b=UadYTXzXmY5MUTV0DSKTXHT+3Lw5fTIIIphBsvRMPqHlDr/vnUTFGV2nFb/c+R0DoL H5Drb18lKqfEI60no/F3u24oq+6n3yaG+we5VW1i8ArME+RMT+UYV+/DIvJXRxFvYvMl I2v3bOwELp7Oad5+VKULoo3aQERWcq7xjT4iSeFBWWjvc0APMJozAeJYdc/F1AL1XSio tQD/dm6zY0BSzzyfjmmFbs+XrVRfhHudHZrbCyEigwBqHumN5vW6jKFJNNBtUW5xjgY2 jNZdoZXVtrntEmZg+tUMUEWfFiv5SV+Sv8WavOTXG3OxlGkxdUeWIBA1YFN8wrliGzQf Tqzg== X-Gm-Message-State: ABuFfoj4EyyZrtJuuxSyVX3vUBfiopUehV8m4gUC+iR7HjCubXZNwrGR LuVynlC3bYJVgmG0FshO6cxM6yJwJT4BJku/EL+qgg== X-Received: by 2002:aca:4d13:: with SMTP id a19-v6mr1665450oib.205.1537997461339; Wed, 26 Sep 2018 14:31:01 -0700 (PDT) MIME-Version: 1.0 References: <20180926203446.2004-1-casey.schaufler@intel.com> <20180926203446.2004-3-casey.schaufler@intel.com> In-Reply-To: <20180926203446.2004-3-casey.schaufler@intel.com> From: Jann Horn Date: Wed, 26 Sep 2018 23:30:35 +0200 Message-ID: Subject: Re: [PATCH v5 2/5] Smack: Prepare for PTRACE_MODE_SCHED To: Casey Schaufler Cc: Kernel Hardening , kernel list , linux-security-module , selinux@tycho.nsa.gov, Dave Hansen , deneen.t.dock@intel.com, kristen@linux.intel.com, Arjan van de Ven Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 26, 2018 at 10:35 PM Casey Schaufler wrote: > A ptrace access check with mode PTRACE_MODE_SCHED gets called > from process switching code. This precludes the use of audit, > as the locking is incompatible. Don't do audit in the PTRACE_MODE_SCHED > case. > > Signed-off-by: Casey Schaufler > --- > security/smack/smack_lsm.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > index 340fc30ad85d..ffa95bcab599 100644 > --- a/security/smack/smack_lsm.c > +++ b/security/smack/smack_lsm.c > @@ -422,7 +422,8 @@ static int smk_ptrace_rule_check(struct task_struct *tracer, > struct task_smack *tsp; > struct smack_known *tracer_known; > > - if ((mode & PTRACE_MODE_NOAUDIT) == 0) { > + if ((mode & PTRACE_MODE_NOAUDIT) == 0 && > + (mode & PTRACE_MODE_SCHED) == 0) { If you ORed PTRACE_MODE_NOAUDIT into the flags when calling the security hook, you could drop this patch, right?