> I meant, it can fail because selinux sees LSM_UNSAFE_PTRACE and cancells > exec. If we add ->report_security_check() callback or something, we can > detach the engines which doesn't pass the check.
Oh, I see what you mean. But that's not the way I'd figured it. The purpose of the unsafe_exec flags is to make the exec either fail or not have its security-transition (suid et al) properties, because the tracing engine exposes the task to another user. If the engine intends to detach after any security-transitioning exec so as to deny its user access to the tracee, then it wouldn't set the unsafe_exec flags in the first place. There are other limitations or synchronization requirements for such an engine to be making good security guarantees. But that's the basic way I'd figured it. > The question was: am I right this is the only change we need to make > sure that task->utrace_flags will always have the ENGINE_EXTRA_FLAGS > bits from all engine->flag's ? OK, I think it is correct. Ah, I get you. Yes, that's fine. The only magic about that is the |= in utrace_reset, and the cases you touched in utrace_set_events. Thanks, Roland
