linux/security/smack
Lukasz Pawelczyk 5663884caa Smack: unify all ptrace accesses in the smack
The decision whether we can trace a process is made in the following
functions:
	smack_ptrace_traceme()
	smack_ptrace_access_check()
	smack_bprm_set_creds() (in case the proces is traced)

This patch unifies all those decisions by introducing one function that
checks whether ptrace is allowed: smk_ptrace_rule_check().

This makes possible to actually trace with TRACEME where first the
TRACEME itself must be allowed and then exec() on a traced process.

Additional bugs fixed:
- The decision is made according to the mode parameter that is now correctly
  translated from PTRACE_MODE_* to MAY_* instead of being treated 1:1.
  PTRACE_MODE_READ requires MAY_READ.
  PTRACE_MODE_ATTACH requires MAY_READWRITE.
- Add a smack audit log in case of exec() refused by bprm_set_creds().
- Honor the PTRACE_MODE_NOAUDIT flag and don't put smack audit info
  in case this flag is set.

Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
2014-04-11 14:34:26 -07:00
..
Kconfig Smack: use select not depends in Kconfig 2012-12-14 10:57:10 -08:00
Makefile Smack: Simplified Mandatory Access Control Kernel 2008-02-05 09:44:20 -08:00
smack.h Smack: fix the subject/object order in smack_ptrace_traceme() 2014-04-11 14:34:17 -07:00
smack_access.c Smack: fix the subject/object order in smack_ptrace_traceme() 2014-04-11 14:34:17 -07:00
smack_lsm.c Smack: unify all ptrace accesses in the smack 2014-04-11 14:34:26 -07:00
smackfs.c Smack: change rule cap check 2013-12-23 15:57:43 -08:00