> -----Original Message----- > From: Jiri Kosina [mailto:[email protected]] > >
> @@ -325,10 +326,13 @@ static int __ptrace_may_access(struct task_struct > *task, unsigned int mode) > mm = task->mm; > if (mm && > ((get_dumpable(mm) != SUID_DUMP_USER) && > - !ptrace_has_cap(mm->user_ns, mode))) > + ((mode & PTRACE_MODE_NOACCESS_CHK) || > + !ptrace_has_cap(mm->user_ns, mode)))) > return -EPERM; > > - return security_ptrace_access_check(task, mode); > + if (!(mode & PTRACE_MODE_NOACCESS_CHK)) > + return security_ptrace_access_check(task, mode); > + return 0; Because PTRACE_MODE_IBPB includes PTRACE_MODE_NOAUDIT you shouldn't need this change. Do you have a good way to exercise this code path? I'm having trouble getting to the check, and have yet to get a case where PTRACE_MODE_NOACCESS_CHK is set. > } > > bool ptrace_may_access(struct task_struct *task, unsigned int mode) > > -- > Jiri Kosina > SUSE Labs
