git.baikalelectronics.ru Git - kernel.git/commit

author	Eric Paris <eparis@redhat.com>
	Tue, 3 Jan 2012 17:25:15 +0000 (12:25 -0500)
committer	Eric Paris <eparis@redhat.com>
	Thu, 5 Jan 2012 23:53:00 +0000 (18:53 -0500)
commit	00a5e4c052888ad10a78a602a15339d35c863ce0
tree	dff25b5f5ef0736fb63b08729bec4ff57062c13f	tree \| snapshot
parent	0aa7970968a03c1771219d6fbf152d48e6a59243	commit \| diff

ptrace: do not audit capability check when outputing /proc/pid/stat

Reading /proc/pid/stat of another process checks if one has ptrace permissions
on that process.  If one does have permissions it outputs some data about the
process which might have security and attack implications.  If the current
task does not have ptrace permissions the read still works, but those fields
are filled with inocuous (0) values.  Since this check and a subsequent denial
is not a violation of the security policy we should not audit such denials.

This can be quite useful to removing ptrace broadly across a system without
flooding the logs when ps is run or something which harmlessly walks proc.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>

fs/proc/array.c		diff \| blob \| history
include/linux/ptrace.h		diff \| blob \| history
kernel/ptrace.c		diff \| blob \| history
security/selinux/hooks.c		diff \| blob \| history