Date: Tue, 13 Jul 2010 21:17:20 -0500
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Kees Cook <kees.cook@canonical.com>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
        linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: Re: [PATCH] Yama: turn process ancestry check into function
Message-ID: <20100714021720.GA17686@hallyn.com>
References: <20100713173339.GA6104@outflux.net>
 <201007140019.o6E0J9gQ060582@www262.sakura.ne.jp>
 <20100714003049.GO6104@outflux.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20100714003049.GO6104@outflux.net>
User-Agent: Mutt/1.5.20 (2009-06-14)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1151
Lines: 27

Quoting Kees Cook (kees.cook@canonical.com):
> On Wed, Jul 14, 2010 at 09:19:09AM +0900, Tetsuo Handa wrote:
> > > +	if (mode == PTRACE_MODE_ATTACH &&
> > > +	    ptrace_scope &&
> > > +	    !task_is_descendant(current, child) &&
> > > +	    !capable(CAP_SYS_PTRACE))
> > > +		rc = -EPERM;
> > 
> > I don't know how heavy capable(CAP_SYS_PTRACE) is.
> > But checking !capable(CAP_SYS_PTRACE) before
> > !task_is_descendant(current, child) might be lighter.
> 
> That's the order I had before, but in looking at some of the other code, it
> seemed like moving it to the end made more logical sense.  Since checking
> PTRACE attach isn't a common or time-sensitive operation, I figured trying
> to tune it wasn't critical.

Yes the reason to keep it like this is that capable(CAP_SYS_PTRACE)
will set PF_SUPERPRIV if it passes.  You don't want to do that unless
the capability was actually required.

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/