Hi! I noticed the following check in smk_ptrace_rule_check():
if (tracer_known->smk_known == tracee_known->smk_known) rc = 0; else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) rc = -EACCES; else if (capable(CAP_SYS_PTRACE)) rc = 0; else rc = -EACCES; Note that smk_ptrace_rule_check() can be called from not just smack_ptrace_access_check() and smack_ptrace_traceme(), but also smack_bprm_set_creds(). AFAICS this means that if a task executes with a smack privilege transition and smack_ptrace_rule is SMACK_PTRACE_EXACT, whether the execution is permitted depends on whether _the debugged task_ has CAP_SYS_PTRACE (and not on whether the debugger has that capability). This seems like it's probably unintentional?