linux-sg2042/fs
Stephen Smalley 006ebb40d3 Security: split proc ptrace checking into read vs. attach
Enable security modules to distinguish reading of process state via
proc from full ptrace access by renaming ptrace_may_attach to
ptrace_may_access and adding a mode argument indicating whether only
read access or full attach access is requested.  This allows security
modules to permit access to reading process state without granting
full ptrace access.  The base DAC/capability checking remains unchanged.

Read access to /proc/pid/mem continues to apply a full ptrace attach
check since check_mem_permission() already requires the current task
to already be ptracing the target.  The other ptrace checks within
proc for elements like environ, maps, and fds are changed to pass the
read mode instead of attach.

In the SELinux case, we model such reading of process state as a
reading of a proc file labeled with the target process' label.  This
enables SELinux policy to permit such reading of process state without
permitting control or manipulation of the target process, as there are
a number of cases where programs probe for such information via proc
but do not need to be able to control the target (e.g. procps,
lsof, PolicyKit, ConsoleKit).  At present we have to choose between
allowing full ptrace in policy (more permissive than required/desired)
or breaking functionality (or in some cases just silencing the denials
via dontaudit rules but this can hide genuine attacks).

This version of the patch incorporates comments from Casey Schaufler
(change/replace existing ptrace_may_attach interface, pass access
mode), and Chris Wright (provide greater consistency in the checking).

Note that like their predecessors __ptrace_may_attach and
ptrace_may_attach, the __ptrace_may_access and ptrace_may_access
interfaces use different return value conventions from each other (0
or -errno vs. 1 or 0).  I retained this difference to avoid any
changes to the caller logic but made the difference clearer by
changing the latter interface to return a bool rather than an int and
by adding a comment about it to ptrace.h for any future callers.

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-07-14 15:01:47 +10:00
..
9p 9p: fix O_APPEND in legacy mode 2008-07-03 09:59:03 -05:00
adfs fs: replace remaining __FUNCTION__ occurrences 2008-04-30 08:29:54 -07:00
affs [PATCH] fix reservation discarding in affs 2008-05-06 13:45:33 -04:00
afs Fix various old email addresses for dwmw2 2008-06-06 11:29:10 -07:00
autofs mount options: fix autofs 2008-02-08 09:22:40 -08:00
autofs4 autofs: path_{get,put}() cleanups 2008-05-01 08:04:01 -07:00
befs byteorder: don't directly include linux/byteorder/generic.h 2008-05-16 12:01:45 -07:00
bfs fs: replace remaining __FUNCTION__ occurrences 2008-04-30 08:29:54 -07:00
cifs cifs: fix wksidarr declaration to be big-endian friendly 2008-07-12 14:33:42 -07:00
coda codafs: fix build warning 2008-04-29 08:06:04 -07:00
configfs fs: replace remaining __FUNCTION__ occurrences 2008-04-30 08:29:54 -07:00
cramfs fs: Remove unnecessary inclusions of asm/semaphore.h 2008-04-18 22:16:44 -04:00
debugfs DEBUGFS: Correct location of debugfs API documentation. 2008-04-30 16:52:47 -07:00
devpts devpts: factor out PTY index allocation 2008-04-30 08:29:48 -07:00
dlm dlm: fix plock dev_write return value 2008-05-19 15:37:27 -05:00
ecryptfs ecryptfs: remove unnecessary mux from ecryptfs_init_ecryptfs_miscdev() 2008-07-04 10:40:05 -07:00
efs efs: update error msg to not refer to deleted read_inode() 2008-04-02 15:28:19 -07:00
exportfs fs: replace remaining __FUNCTION__ occurrences 2008-04-30 08:29:54 -07:00
ext2 ext2: retry block allocation if new blocks are allocated from system zone 2008-04-28 08:58:43 -07:00
ext3 ext3: add missing unlock to error path in ext3_quota_write() 2008-07-04 10:40:05 -07:00
ext4 ext4: add missing unlock to an error path in ext4_quota_write() 2008-07-04 10:40:05 -07:00
fat fat: relax the permission check of fat_setattr() 2008-06-12 18:05:39 -07:00
freevxfs fs/freevxfs/: proper externs 2008-04-29 08:06:00 -07:00
fuse fuse: fix thinko in max I/O size calucation 2008-06-17 18:08:10 -07:00
gfs2 [GFS2] fix gfs2 block allocation (cleaned up) 2008-06-24 19:02:28 +01:00
hfs hfs: fix warning with 64k PAGE_SIZE 2008-04-30 08:29:52 -07:00
hfsplus Fix hfsplus oops on image without extents 2008-05-13 08:02:24 -07:00
hostfs uml: fix hostfs tv_usec calculations 2008-02-05 09:44:30 -08:00
hpfs mount options: fix hpfs 2008-02-08 09:22:40 -08:00
hppfs fix hppfs Makefile breakage 2008-05-21 16:55:58 -07:00
hugetlbfs mm: bdi: add separate writeback accounting capability 2008-04-30 08:29:50 -07:00
isofs isofs: fix access to unallocated memory when reading corrupted filesystem 2008-04-30 08:29:33 -07:00
jbd jbd: need to hold j_state_lock to updates to transaction t_state to T_COMMIT 2008-05-14 19:11:14 -07:00
jbd2 jbd2: Fix barrier fallback code to re-lock the buffer head 2008-06-03 22:31:11 -04:00
jffs2 Merge git://git.infradead.org/mtd-2.6 2008-05-01 11:15:28 -07:00
jfs proc: remove proc_root_fs 2008-04-29 08:06:18 -07:00
lockd fs: replace remaining __FUNCTION__ occurrences 2008-04-30 08:29:54 -07:00
minix iget: stop the MINIX filesystem from using iget() and read_inode() 2008-02-07 08:42:28 -08:00
msdos fs: replace remaining __FUNCTION__ occurrences 2008-04-30 08:29:54 -07:00
ncpfs ncpfs: use get/put_unaligned_* helpers 2008-04-29 08:06:28 -07:00
nfs NFS: Fix readdir cache invalidation 2008-07-08 15:22:40 -04:00
nfs_common
nfsd nfsd: reorder printk in do_probe_callback to avoid use-after-free 2008-05-18 19:13:07 -04:00
nls sparse pointer use of zero as null 2007-10-18 14:37:31 -07:00
ntfs ntfs: le*_add_cpu conversion 2008-05-24 09:56:08 -07:00
ocfs2 ocfs2: Fix flags in ocfs2_file_lock 2008-07-10 09:25:39 -07:00
openpromfs iget: stop OPENPROMFS from using iget() and read_inode() 2008-02-07 08:42:29 -08:00
partitions fs: replace remaining __FUNCTION__ occurrences 2008-04-30 08:29:54 -07:00
proc Security: split proc ptrace checking into read vs. attach 2008-07-14 15:01:47 +10:00
qnx4 iget: stop QNX4 from using iget() and read_inode() 2008-02-07 08:42:28 -08:00
ramfs mm: bdi: add separate writeback accounting capability 2008-04-30 08:29:50 -07:00
reiserfs reiserfs: discard prealloc in reiserfs_delete_inode 2008-07-08 12:39:31 -07:00
romfs ROMFS: Fix up an error in iget removal 2008-03-19 18:53:36 -07:00
smbfs fs: replace remaining __FUNCTION__ occurrences 2008-04-30 08:29:54 -07:00
sysfs sysfs: remove error messages for -EEXIST case 2008-05-14 22:34:16 -07:00
sysv sysv: [bl]e*_add_cpu conversion 2008-04-30 08:29:52 -07:00
udf udf: Fix regression in UDF anchor block detection 2008-06-24 11:38:03 +02:00
ufs ufs: remove unneeded ufs_put_inode prototype 2008-05-13 08:02:23 -07:00
vfat fs: replace remaining __FUNCTION__ occurrences 2008-04-30 08:29:54 -07:00
xfs Fix reference counting race on log buffers 2008-07-11 11:37:18 -07:00
Kconfig ntfs: update help text 2008-07-04 10:40:07 -07:00
Kconfig.binfmt frv: don't offer BINFMT_FLAT 2008-06-06 11:29:08 -07:00
Makefile x86: compat_binfmt_elf Kconfig 2008-01-30 13:31:46 +01:00
aio.c uml: activate_mm: remove the dead PF_BORROWED_MM check 2008-06-06 11:36:22 -07:00
anon_inodes.c [PATCH] sanitize anon_inode_getfd() 2008-05-01 13:08:50 -04:00
attr.c VFS: make notify_change pass ATTR_KILL_S*ID to setattr operations 2007-10-18 14:37:22 -07:00
bad_inode.c iget: introduce a function to register iget failure 2008-02-07 08:42:26 -08:00
binfmt_aout.c fs/binfmt_aout.c: use printk_ratelimit() 2008-04-29 08:06:04 -07:00
binfmt_elf.c Remove last traces of a.out support from ELF loader. 2008-06-16 10:20:57 -07:00
binfmt_elf_fdpic.c nommu: fix ksize() abuse 2008-06-06 11:29:13 -07:00
binfmt_em86.c binfmt_misc.c: avoid potential kernel stack overflow 2008-04-29 08:06:04 -07:00
binfmt_flat.c nommu: fix ksize() abuse 2008-06-06 11:29:13 -07:00
binfmt_misc.c binfmt_misc.c: avoid potential kernel stack overflow 2008-04-29 08:06:04 -07:00
binfmt_script.c binfmt_misc.c: avoid potential kernel stack overflow 2008-04-29 08:06:04 -07:00
binfmt_som.c [PATCH] sanitize handling of shared descriptor tables in failing execve() 2008-04-25 09:23:53 -04:00
bio.c docbook: fix bio missing parameter 2008-05-07 18:35:03 +02:00
block_dev.c [PATCH] fix cgroup-inflicted breakage in block_dev.c 2008-06-23 08:30:55 -04:00
buffer.c Properly notify block layer of sync writes 2008-07-01 09:07:34 +02:00
char_dev.c fs: remove unused fops from struct char_device_struct 2008-04-29 08:06:01 -07:00
compat.c [PATCH] get rid of leak in compat_execve() 2008-05-16 17:23:05 -04:00
compat_binfmt_elf.c x86: compat_binfmt_elf 2008-01-30 13:31:46 +01:00
compat_ioctl.c tty: The big operations rework 2008-04-30 08:29:47 -07:00
dcache.c [patch 2/3] vfs: dcache cleanups 2008-06-23 13:07:00 -04:00
dcookies.c d_path: Make d_path() use a struct path 2008-02-14 21:17:09 -08:00
direct-io.c Pagecache zeroing: zero_user_segment, zero_user_segments and zero_user 2008-02-05 09:44:13 -08:00
dnotify.c [PATCH] split linux/file.h 2008-05-01 13:08:16 -04:00
dquot.c quota: don't call sync_fs() from vfs_quota_off() when there's no quota turn off 2008-05-13 08:02:23 -07:00
drop_caches.c vfs: skip inodes without pages to free in drop_pagecache_sb() 2008-04-29 08:06:05 -07:00
eventfd.c [PATCH] sanitize anon_inode_getfd() 2008-05-01 13:08:50 -04:00
eventpoll.c [PATCH] sanitize anon_inode_getfd() 2008-05-01 13:08:50 -04:00
exec.c exec: fix stack excutability without PT_GNU_STACK 2008-07-10 13:25:43 -07:00
fcntl.c [PATCH] split linux/file.h 2008-05-01 13:08:16 -04:00
fifo.c
file.c [PATCH] avoid multiplication overflows and signedness issues for max_fds 2008-05-16 17:22:52 -04:00
file_table.c [PATCH] split linux/file.h 2008-05-01 13:08:16 -04:00
filesystems.c
fs-writeback.c fs/fs-writeback.c: make 2 functions static 2008-04-29 08:06:00 -07:00
generic_acl.c
inode.c VFS: fix unused variable warning 2008-05-06 13:13:37 -07:00
inotify.c inotify: remove debug code 2008-02-06 10:41:07 -08:00
inotify_user.c Remove duplicated unlikely() in IS_ERR() 2008-04-29 08:06:25 -07:00
internal.h [PATCH] move a bunch of declarations to fs/internal.h 2008-04-21 23:11:01 -04:00
ioctl.c make vfs_ioctl() static 2008-04-29 08:06:00 -07:00
ioprio.c cfq-iosched: relax IOPRIO_CLASS_IDLE restrictions 2008-01-28 11:38:15 +01:00
libfs.c add kernel-doc for simple_read_from_buffer and memory_read_from_buffer 2008-07-04 10:40:07 -07:00
locks.c [patch 4/4] flock: remove unused fields from file_lock_operations 2008-06-23 11:52:30 -04:00
mbcache.c vfs: fix possible deadlock in ext2, ext3, ext4 when using xattrs 2008-04-15 19:35:41 -07:00
mpage.c docbook: fix filesystems.tmpl source files 2008-03-03 10:47:13 -08:00
namei.c [patch 3/4] vfs: fix ERR_PTR abuse in generic_readlink 2008-06-23 11:52:30 -04:00
namespace.c fs: replace remaining __FUNCTION__ occurrences 2008-04-30 08:29:54 -07:00
nfsctl.c Introduce path_put() 2008-02-14 21:13:33 -08:00
no-block.c
open.c security: filesystem capabilities: fix fragile setuid fixup code 2008-07-04 10:40:08 -07:00
pipe.c [patch 1/4] vfs: path_{get,put}() cleanups 2008-06-23 11:52:29 -04:00
pnode.c [patch 7/7] vfs: mountinfo: show dominating group id 2008-04-23 00:05:09 -04:00
pnode.h [patch 7/7] vfs: mountinfo: show dominating group id 2008-04-23 00:05:09 -04:00
posix_acl.c
quota.c quota: quota core changes for quotaon on remount 2008-04-28 08:58:33 -07:00
quota_v1.c quota: do not allow setting of quota limits to too high values 2008-04-28 08:58:32 -07:00
quota_v2.c quota: le*_add_cpu conversion 2008-04-30 08:29:51 -07:00
read_write.c fs: use loff_t type instead of long long 2008-04-22 15:17:11 -07:00
read_write.h
readdir.c Use mutex_lock_killable in vfs_readdir 2007-12-06 17:39:54 -05:00
select.c Fix performance regression on lmbench select benchmark 2008-06-22 12:23:15 -07:00
seq_file.c [patch 2/7] vfs: mountinfo: add seq_file_root() 2008-04-23 00:04:38 -04:00
signalfd.c [PATCH] sanitize anon_inode_getfd() 2008-05-01 13:08:50 -04:00
splice.c splice: handle try_to_release_page() failure 2008-05-28 14:49:27 +02:00
stack.c
stat.c Introduce path_put() 2008-02-14 21:13:33 -08:00
super.c make __put_super() static 2008-04-29 08:06:00 -07:00
sync.c vfs: fix unconditional write_super() call in file_fsync() 2008-04-29 08:06:06 -07:00
timerfd.c [PATCH] sanitize anon_inode_getfd() 2008-05-01 13:08:50 -04:00
utimes.c [patch for 2.6.26 4/4] vfs: utimensat(): fix write access check for futimens() 2008-06-23 08:43:52 -04:00
xattr.c xattr: add missing consts to function arguments 2008-04-29 08:06:06 -07:00
xattr_acl.c