Re: [Bug 210655] ptrace.2: documentation is incorrect about access checking threads in same thread group
"Alejandro Colomar (man-pages)" writes: > [CC += Thomas, Ingo, Peter, Darren] > > Hi Oleg, > > On 12/16/20 3:33 AM, Jann Horn wrote: >> On Wed, Dec 16, 2020 at 3:21 AM Ted Estes wrote: >>> On 12/15/2020 6:01 PM, Jann Horn wrote: On Wed, Dec 16, 2020 at 12:25 AM Alejandro Colomar (man-pages) wrote: > On 12/16/20 12:23 AM, Alejandro Colomar (man-pages) wrote: >> On 12/16/20 12:07 AM, Jann Horn wrote: >>> As the comment explains, you can't actually *attach* >>> to another task in the same thread group; but that's >>> not because of the ptrace-style access check rules, >>> but because specifically *attaching* to another task >>> in the same thread group doesn't work. As I said, attaching indeed doesn't work. But that's not what "Ptrace access mode checking" means. As the first sentence of that section says: | Various parts of the kernel-user-space API (not just ptrace() | operations), require so-called "ptrace access mode" checks, | whose outcome determines whether an operation is | permitted (or, in a few cases, causes a "read" operation | to return sanitized data). You can find these places by grepping for \bptrace_may_access\b - operations like e.g. the get_robust_list() syscall will always succeed when inspecting other tasks in the caller's thread group thanks to this rule. >>> >>> Ah, yes. I missed that back reference while trying to digest that >>> rather meaty man page. A grep on the man page source tree does show a >>> number of references to "ptrace access mode". >>> >>> That said, the ptrace(2) man page also directly references the ptrace >>> access mode check under both PTRACE_ATTACH and PTACE_SEIZE: >>> >>> | Permission to perform a PTRACE_ATTACH is governed by a ptrace | access >>> mode PTRACE_MODE_ATTACH_REALCREDS check; see below. As confirmed, the >>> "same thread group" rule does not apply to either of those operations. A >>> re-wording of rule 1 similar to this might help avoid confusion: 1. If >>> the calling thread and the target thread are in the same thread group: >>> a. For ptrace() called with PTRACE_ATTACH or PTRACE_SEIZE, access is >>> NEVER allowed. b. For all other so-called "ptrace access mode checks", >>> access is ALWAYS allowed. --Ted >> >> Yeah, maybe. OTOH I'm not sure whether it really makes sense to >> explain this as being part of a security check, or whether it should >> be explained separately as a restriction on PTRACE_ATTACH and >> PTRACE_SEIZE (with a note like "(irrelevant for ptrace attachment)" on >> rule 1). But I don't feel strongly about it either way. >> > > As you are the maintainer for ptrace, > could you confirm the above from Jan? > And maybe suggest what you would do with the manual page. > > I'd like to get confirmation that there are still other functions that > require "ptrace access mode" other than ptrace() itself, where it's > valid that the calling thread and the target thread are in the same > group. Large swaths of proc are governed by those checks. In general in the kernel whenever you are accessing another process to perform an operation (especially reading) it will probably use "ptrace access mode" checks. You can see this by with "git grep ptrace_may_access" on the kernel source. Eric
Re: [Bug 210655] ptrace.2: documentation is incorrect about access checking threads in same thread group
[CC += Thomas, Ingo, Peter, Darren] Hi Oleg, On 12/16/20 3:33 AM, Jann Horn wrote: > On Wed, Dec 16, 2020 at 3:21 AM Ted Estes wrote: >> On 12/15/2020 6:01 PM, Jann Horn wrote: >>> On Wed, Dec 16, 2020 at 12:25 AM Alejandro Colomar (man-pages) >>> wrote: On 12/16/20 12:23 AM, Alejandro Colomar (man-pages) wrote: > On 12/16/20 12:07 AM, Jann Horn wrote: >> As the comment explains, you can't actually *attach* >> to another task in the same thread group; but that's >> not because of the ptrace-style access check rules, >> but because specifically *attaching* to another task >> in the same thread group doesn't work. >>> As I said, attaching indeed doesn't work. But that's not what "Ptrace >>> access mode checking" means. As the first sentence of that section >>> says: >>> >>> | Various parts of the kernel-user-space API (not just ptrace() >>> | operations), require so-called "ptrace access mode" checks, >>> | whose outcome determines whether an operation is >>> | permitted (or, in a few cases, causes a "read" operation >>> | to return sanitized data). >>> >>> You can find these places by grepping for \bptrace_may_access\b - >>> operations like e.g. the get_robust_list() syscall will always succeed >>> when inspecting other tasks in the caller's thread group thanks to >>> this rule. >> >> Ah, yes. I missed that back reference while trying to digest that >> rather meaty man page. A grep on the man page source tree does show a >> number of references to "ptrace access mode". >> >> That said, the ptrace(2) man page also directly references the ptrace >> access mode check under both PTRACE_ATTACH and PTACE_SEIZE: >> >> | Permission to perform a PTRACE_ATTACH is governed by a ptrace | access >> mode PTRACE_MODE_ATTACH_REALCREDS check; see below. As confirmed, the >> "same thread group" rule does not apply to either of those operations. A >> re-wording of rule 1 similar to this might help avoid confusion: 1. If >> the calling thread and the target thread are in the same thread group: >> a. For ptrace() called with PTRACE_ATTACH or PTRACE_SEIZE, access is >> NEVER allowed. b. For all other so-called "ptrace access mode checks", >> access is ALWAYS allowed. --Ted > > Yeah, maybe. OTOH I'm not sure whether it really makes sense to > explain this as being part of a security check, or whether it should > be explained separately as a restriction on PTRACE_ATTACH and > PTRACE_SEIZE (with a note like "(irrelevant for ptrace attachment)" on > rule 1). But I don't feel strongly about it either way. > As you are the maintainer for ptrace, could you confirm the above from Jan? And maybe suggest what you would do with the manual page. I'd like to get confirmation that there are still other functions that require "ptrace access mode" other than ptrace() itself, where it's valid that the calling thread and the target thread are in the same group. Jann noted get_robust_list() as an example, so I CCed futex maintainers. Thanks, Alex -- Alejandro Colomar Linux man-pages comaintainer; https://www.kernel.org/doc/man-pages/ http://www.alejandro-colomar.es
Re: [Bug 210655] ptrace.2: documentation is incorrect about access checking threads in same thread group
On 12/15, Linus Torvalds wrote: > > On Tue, Dec 15, 2020 at 2:48 PM Alejandro Colomar (man-pages) > wrote: > > > > 1) Remove that paragraph, as if that behavior had never existed. > > If it's been 15 years since that paragraph was relevant, I think just > removing it is the right thing to do. Agreed. Oleg.
Re: [Bug 210655] ptrace.2: documentation is incorrect about access checking threads in same thread group
On Wed, Dec 16, 2020 at 3:21 AM Ted Estes wrote: > On 12/15/2020 6:01 PM, Jann Horn wrote: > > On Wed, Dec 16, 2020 at 12:25 AM Alejandro Colomar (man-pages) > > wrote: > >> On 12/16/20 12:23 AM, Alejandro Colomar (man-pages) wrote: > >>> On 12/16/20 12:07 AM, Jann Horn wrote: > As the comment explains, you can't actually *attach* > to another task in the same thread group; but that's > not because of the ptrace-style access check rules, > but because specifically *attaching* to another task > in the same thread group doesn't work. > > As I said, attaching indeed doesn't work. But that's not what "Ptrace > > access mode checking" means. As the first sentence of that section > > says: > > > > | Various parts of the kernel-user-space API (not just ptrace() > > | operations), require so-called "ptrace access mode" checks, > > | whose outcome determines whether an operation is > > | permitted (or, in a few cases, causes a "read" operation > > | to return sanitized data). > > > > You can find these places by grepping for \bptrace_may_access\b - > > operations like e.g. the get_robust_list() syscall will always succeed > > when inspecting other tasks in the caller's thread group thanks to > > this rule. > > Ah, yes. I missed that back reference while trying to digest that > rather meaty man page. A grep on the man page source tree does show a > number of references to "ptrace access mode". > > That said, the ptrace(2) man page also directly references the ptrace > access mode check under both PTRACE_ATTACH and PTACE_SEIZE: > > | Permission to perform a PTRACE_ATTACH is governed by a ptrace | access > mode PTRACE_MODE_ATTACH_REALCREDS check; see below. As confirmed, the > "same thread group" rule does not apply to either of those operations. A > re-wording of rule 1 similar to this might help avoid confusion: 1. If > the calling thread and the target thread are in the same thread group: > a. For ptrace() called with PTRACE_ATTACH or PTRACE_SEIZE, access is > NEVER allowed. b. For all other so-called "ptrace access mode checks", > access is ALWAYS allowed. --Ted Yeah, maybe. OTOH I'm not sure whether it really makes sense to explain this as being part of a security check, or whether it should be explained separately as a restriction on PTRACE_ATTACH and PTRACE_SEIZE (with a note like "(irrelevant for ptrace attachment)" on rule 1). But I don't feel strongly about it either way.
Re: [Bug 210655] ptrace.2: documentation is incorrect about access checking threads in same thread group
On 12/15/2020 6:01 PM, Jann Horn wrote:
On Wed, Dec 16, 2020 at 12:25 AM Alejandro Colomar (man-pages)
wrote:
On 12/16/20 12:23 AM, Alejandro Colomar (man-pages) wrote:
On 12/16/20 12:07 AM, Jann Horn wrote:
Am Tue, Dec 15, 2020 at 06:01:25PM +0100 schrieb Alejandro Colomar (man-pages):
There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655
[[
Under "Ptrace access mode checking", the documentation states:
"1. If the calling thread and the target thread are in the same thread
group, access is always allowed."
This is incorrect. A thread may never attach to another in the same group.
No, that is correct. ptrace-mode access checks do always short-circuit for
tasks in the same thread group:
/* Returns 0 on success, -errno on denial. */
static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
{
[...]
/* May we inspect the given task?
* This check is used both for attaching with ptrace
* and for allowing access to sensitive information in /proc.
*
* ptrace_attach denies several cases that /proc allows
* because setting up the necessary parent/child relationship
* or halting the specified task is impossible.
*/
/* Don't let security modules deny introspection */
if (same_thread_group(task, current))
return 0;
[...]
}
AFAICS, that code always returns non-zero,
Sorry, I should have said "that code never returns 0".
at least when called from ptrace_attach().
Yes.
As you can see below,
__ptrace_may_access() is called some lines after
the code pointed to by the bug report.
static int ptrace_attach(struct task_struct *task, long request,
unsigned long addr,
unsigned long flags)
{
[...]
if (same_thread_group(task, current))
goto out;
/*
* Protect exec's credential calculations against our interference;
* SUID, SGID and LSM creds get determined differently
* under ptrace.
*/
retval = -ERESTARTNOINTR;
if (mutex_lock_interruptible(>signal->cred_guard_mutex))
goto out;
task_lock(task);
retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS);
[...]
}
I said exactly that in my last mail:
As the comment explains, you can't actually *attach*
to another task in the same thread group; but that's
not because of the ptrace-style access check rules,
but because specifically *attaching* to another task
in the same thread group doesn't work.
As I said, attaching indeed doesn't work. But that's not what "Ptrace
access mode checking" means. As the first sentence of that section
says:
| Various parts of the kernel-user-space API (not just ptrace()
| operations), require so-called "ptrace access mode" checks,
| whose outcome determines whether an operation is
| permitted (or, in a few cases, causes a "read" operation
| to return sanitized data).
You can find these places by grepping for \bptrace_may_access\b -
operations like e.g. the get_robust_list() syscall will always succeed
when inspecting other tasks in the caller's thread group thanks to
this rule.
Ah, yes. I missed that back reference while trying to digest that
rather meaty man page. A grep on the man page source tree does show a
number of references to "ptrace access mode".
That said, the ptrace(2) man page also directly references the ptrace
access mode check under both PTRACE_ATTACH and PTACE_SEIZE:
| Permission to perform a PTRACE_ATTACH is governed by a ptrace | access
mode PTRACE_MODE_ATTACH_REALCREDS check; see below. As confirmed, the
"same thread group" rule does not apply to either of those operations. A
re-wording of rule 1 similar to this might help avoid confusion: 1. If
the calling thread and the target thread are in the same thread group:
a. For ptrace() called with PTRACE_ATTACH or PTRACE_SEIZE, access is
NEVER allowed. b. For all other so-called "ptrace access mode checks",
access is ALWAYS allowed. --Ted
Re: [Bug 210655] ptrace.2: documentation is incorrect about access checking threads in same thread group
On Tue, Dec 15, 2020 at 2:48 PM Alejandro Colomar (man-pages) wrote: > > 1) Remove that paragraph, as if that behavior had never existed. If it's been 15 years since that paragraph was relevant, I think just removing it is the right thing to do. Linus
Re: [Bug 210655] ptrace.2: documentation is incorrect about access checking threads in same thread group
Am Tue, Dec 15, 2020 at 06:01:25PM +0100 schrieb Alejandro Colomar (man-pages):
> Hi,
>
> There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655
>
> [[
> Under "Ptrace access mode checking", the documentation states:
> "1. If the calling thread and the target thread are in the same thread
> group, access is always allowed."
>
> This is incorrect. A thread may never attach to another in the same group.
No, that is correct. ptrace-mode access checks do always short-circuit for
tasks in the same thread group:
/* Returns 0 on success, -errno on denial. */
static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
{
[...]
/* May we inspect the given task?
* This check is used both for attaching with ptrace
* and for allowing access to sensitive information in /proc.
*
* ptrace_attach denies several cases that /proc allows
* because setting up the necessary parent/child relationship
* or halting the specified task is impossible.
*/
/* Don't let security modules deny introspection */
if (same_thread_group(task, current))
return 0;
[...]
}
As the comment explains, you can't actually *attach*
to another task in the same thread group; but that's
not because of the ptrace-style access check rules,
but because specifically *attaching* to another task
in the same thread group doesn't work.
Re: [Bug 210655] ptrace.2: documentation is incorrect about access checking threads in same thread group
Hi Jann,
On 12/16/20 12:07 AM, Jann Horn wrote:
> Am Tue, Dec 15, 2020 at 06:01:25PM +0100 schrieb Alejandro Colomar
> (man-pages):
>> Hi,
>>
>> There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655
>>
>> [[
>> Under "Ptrace access mode checking", the documentation states:
>> "1. If the calling thread and the target thread are in the same thread
>> group, access is always allowed."
>>
>> This is incorrect. A thread may never attach to another in the same group.
>
> No, that is correct. ptrace-mode access checks do always short-circuit for
> tasks in the same thread group:
>
> /* Returns 0 on success, -errno on denial. */
> static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
> {
> [...]
> /* May we inspect the given task?
> * This check is used both for attaching with ptrace
> * and for allowing access to sensitive information in /proc.
> *
> * ptrace_attach denies several cases that /proc allows
> * because setting up the necessary parent/child relationship
> * or halting the specified task is impossible.
> */
>
> /* Don't let security modules deny introspection */
> if (same_thread_group(task, current))
> return 0;
> [...]
> }
AFAICS, that code always returns non-zero,
at least when called from ptrace_attach().
As you can see below,
__ptrace_may_access() is called some lines after
the code pointed to by the bug report.
static int ptrace_attach(struct task_struct *task, long request,
unsigned long addr,
unsigned long flags)
{
[...]
if (same_thread_group(task, current))
goto out;
/*
* Protect exec's credential calculations against our interference;
* SUID, SGID and LSM creds get determined differently
* under ptrace.
*/
retval = -ERESTARTNOINTR;
if (mutex_lock_interruptible(>signal->cred_guard_mutex))
goto out;
task_lock(task);
retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS);
[...]
}
Thanks,
Alex
>
> As the comment explains, you can't actually *attach*
> to another task in the same thread group; but that's
> not because of the ptrace-style access check rules,
> but because specifically *attaching* to another task
> in the same thread group doesn't work.
>
Re: [Bug 210655] ptrace.2: documentation is incorrect about access checking threads in same thread group
On 12/16/20 12:23 AM, Alejandro Colomar (man-pages) wrote:
> Hi Jann,
>
> On 12/16/20 12:07 AM, Jann Horn wrote:
>> Am Tue, Dec 15, 2020 at 06:01:25PM +0100 schrieb Alejandro Colomar
>> (man-pages):
>>> Hi,
>>>
>>> There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655
>>>
>>> [[
>>> Under "Ptrace access mode checking", the documentation states:
>>> "1. If the calling thread and the target thread are in the same thread
>>> group, access is always allowed."
>>>
>>> This is incorrect. A thread may never attach to another in the same group.
>>
>> No, that is correct. ptrace-mode access checks do always short-circuit for
>> tasks in the same thread group:
>>
>> /* Returns 0 on success, -errno on denial. */
>> static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
>> {
>> [...]
>> /* May we inspect the given task?
>> * This check is used both for attaching with ptrace
>> * and for allowing access to sensitive information in /proc.
>> *
>> * ptrace_attach denies several cases that /proc allows
>> * because setting up the necessary parent/child relationship
>> * or halting the specified task is impossible.
>> */
>>
>> /* Don't let security modules deny introspection */
>> if (same_thread_group(task, current))
>> return 0;
>> [...]
>> }
>
> AFAICS, that code always returns non-zero,
Sorry, I should have said "that code never returns 0".
> at least when called from ptrace_attach().
>
> As you can see below,
> __ptrace_may_access() is called some lines after
> the code pointed to by the bug report.
>
>
> static int ptrace_attach(struct task_struct *task, long request,
>unsigned long addr,
>unsigned long flags)
> {
> [...]
> if (same_thread_group(task, current))
> goto out;
>
> /*
>* Protect exec's credential calculations against our interference;
>* SUID, SGID and LSM creds get determined differently
>* under ptrace.
>*/
> retval = -ERESTARTNOINTR;
> if (mutex_lock_interruptible(>signal->cred_guard_mutex))
> goto out;
>
> task_lock(task);
> retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS);
> [...]
> }
>
>
> Thanks,
>
> Alex
>
>>
>> As the comment explains, you can't actually *attach*
>> to another task in the same thread group; but that's
>> not because of the ptrace-style access check rules,
>> but because specifically *attaching* to another task
>> in the same thread group doesn't work.
>>
Re: [Bug 210655] ptrace.2: documentation is incorrect about access checking threads in same thread group
On Wed, Dec 16, 2020 at 12:25 AM Alejandro Colomar (man-pages)
wrote:
> On 12/16/20 12:23 AM, Alejandro Colomar (man-pages) wrote:
> > On 12/16/20 12:07 AM, Jann Horn wrote:
> >> Am Tue, Dec 15, 2020 at 06:01:25PM +0100 schrieb Alejandro Colomar
> >> (man-pages):
> >>> There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655
> >>>
> >>> [[
> >>> Under "Ptrace access mode checking", the documentation states:
> >>> "1. If the calling thread and the target thread are in the same thread
> >>> group, access is always allowed."
> >>>
> >>> This is incorrect. A thread may never attach to another in the same group.
> >>
> >> No, that is correct. ptrace-mode access checks do always short-circuit for
> >> tasks in the same thread group:
> >>
> >> /* Returns 0 on success, -errno on denial. */
> >> static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
> >> {
> >> [...]
> >> /* May we inspect the given task?
> >> * This check is used both for attaching with ptrace
> >> * and for allowing access to sensitive information in /proc.
> >> *
> >> * ptrace_attach denies several cases that /proc allows
> >> * because setting up the necessary parent/child relationship
> >> * or halting the specified task is impossible.
> >> */
> >>
> >> /* Don't let security modules deny introspection */
> >> if (same_thread_group(task, current))
> >> return 0;
> >> [...]
> >> }
> >
> > AFAICS, that code always returns non-zero,
>
> Sorry, I should have said "that code never returns 0".
>
> > at least when called from ptrace_attach().
Yes.
> > As you can see below,
> > __ptrace_may_access() is called some lines after
> > the code pointed to by the bug report.
> >
> >
> > static int ptrace_attach(struct task_struct *task, long request,
> >unsigned long addr,
> >unsigned long flags)
> > {
> > [...]
> > if (same_thread_group(task, current))
> > goto out;
> >
> > /*
> >* Protect exec's credential calculations against our interference;
> >* SUID, SGID and LSM creds get determined differently
> >* under ptrace.
> >*/
> > retval = -ERESTARTNOINTR;
> > if (mutex_lock_interruptible(>signal->cred_guard_mutex))
> > goto out;
> >
> > task_lock(task);
> > retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS);
> > [...]
> > }
I said exactly that in my last mail:
> >> As the comment explains, you can't actually *attach*
> >> to another task in the same thread group; but that's
> >> not because of the ptrace-style access check rules,
> >> but because specifically *attaching* to another task
> >> in the same thread group doesn't work.
As I said, attaching indeed doesn't work. But that's not what "Ptrace
access mode checking" means. As the first sentence of that section
says:
| Various parts of the kernel-user-space API (not just ptrace()
| operations), require so-called "ptrace access mode" checks,
| whose outcome determines whether an operation is
| permitted (or, in a few cases, causes a "read" operation
| to return sanitized data).
You can find these places by grepping for \bptrace_may_access\b -
operations like e.g. the get_robust_list() syscall will always succeed
when inspecting other tasks in the caller's thread group thanks to
this rule.
Re: [Bug 210655] ptrace.2: documentation is incorrect about access checking threads in same thread group
[CC += Andreas, Linus, Roland, Markus; fixed Oleg] On 12/15/20 7:34 PM, Alejandro Colomar (man-pages) wrote: > Hi Ted, > > On 12/15/20 7:31 PM, Ted Estes wrote: >> Per my research on the topic, the error is in the manual page. The >> behavior of ptrace(2) was intentionally changed to prohibit attaching to >> a thread in the same group. Apparently, there were a number of >> ill-behaved edge cases. >> >> I found this email thread on the subject: >> https://lkml.org/lkml/2006/8/31/241 Okay, after reading the LKML thread, the old behavior was removed because it was very buggy. We have two options now: 1) Remove that paragraph, as if that behavior had never existed. If we do this, not much is lost: Only _very_ old kernels had that behavior, and it's not even advisable to make use of it on those, AFAICS. 2) Add a note to that paragraph, saying that since kernel 2.X.Y? the calling thread and the target thread can't be in the same group. Cons: That info is unlikely to be useful, and will only add a few more lines to a page that is already very long. 3) Suggestions? I prefer option 1. I'll add a larger screenshot of the manual page below, so that readers don't need to read 'man 2 ptrace': [[ ... The algorithm employed for ptrace access mode checking deter‐ mines whether the calling process is allowed to perform the corresponding action on the target process. (In the case of opening /proc/[pid] files, the "calling process" is the one opening the file, and the process with the corresponding PID is the "target process".) The algorithm is as follows: 1. If the calling thread and the target thread are in the same thread group, access is always allowed. 2. If the access mode specifies PTRACE_MODE_FSCREDS, then, for the check in the next step, employ the caller's filesystem UID and GID. (As noted in credentials(7), the filesystem UID and GID almost always have the same values as the corre‐ sponding effective IDs.) Otherwise, the access mode specifies PTRACE_MODE_REALCREDS, so use the caller's real UID and GID for the checks in the next step. (Most APIs that check the caller's UID and GID use the effective IDs. For historical reasons, the PTRACE_MODE_REALCREDS check uses the real IDs instead.) ... ]] Any thoughts before I write the patch? Thanks, Alex > > Thank you for all the details and links! > I'll fix the page. > > Thanks, > > Alex > >> >> Thank you. >> --Ted Estes >> >> On 12/15/2020 11:01 AM, Alejandro Colomar (man-pages) wrote: >>> Hi, >>> >>> There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655 >>> >>> [[ >>> Under "Ptrace access mode checking", the documentation states: >>>"1. If the calling thread and the target thread are in the same thread >>> group, access is always allowed." >>> >>> This is incorrect. A thread may never attach to another in the same >>> group. >>> >>> Reference, ptrace_attach() >>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/ptrace.c?h=v5.9.14#n380 >>> >>> ]] >>> >>> I just wanted to make sure that it is a bug in the manual page, and not >>> in the implementation. >>> >>> >>> Thanks, >>> >>> Alex >>> >> >
Re: [Bug 210655] ptrace.2: documentation is incorrect about access checking threads in same thread group
Hi Ted, On 12/15/20 7:31 PM, Ted Estes wrote: > Per my research on the topic, the error is in the manual page. The > behavior of ptrace(2) was intentionally changed to prohibit attaching to > a thread in the same group. Apparently, there were a number of > ill-behaved edge cases. > > I found this email thread on the subject: > https://lkml.org/lkml/2006/8/31/241 Thank you for all the details and links! I'll fix the page. Thanks, Alex > > Thank you. > --Ted Estes > > On 12/15/2020 11:01 AM, Alejandro Colomar (man-pages) wrote: >> Hi, >> >> There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655 >> >> [[ >> Under "Ptrace access mode checking", the documentation states: >> "1. If the calling thread and the target thread are in the same thread >> group, access is always allowed." >> >> This is incorrect. A thread may never attach to another in the same >> group. >> >> Reference, ptrace_attach() >> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/ptrace.c?h=v5.9.14#n380 >> >> ]] >> >> I just wanted to make sure that it is a bug in the manual page, and not >> in the implementation. >> >> >> Thanks, >> >> Alex >> > -- Alejandro Colomar Linux man-pages comaintainer; https://www.kernel.org/doc/man-pages/ http://www.alejandro-colomar.es
Re: [Bug 210655] ptrace.2: documentation is incorrect about access checking threads in same thread group
Per my research on the topic, the error is in the manual page. The behavior of ptrace(2) was intentionally changed to prohibit attaching to a thread in the same group. Apparently, there were a number of ill-behaved edge cases. I found this email thread on the subject: https://lkml.org/lkml/2006/8/31/241 Thank you. --Ted Estes On 12/15/2020 11:01 AM, Alejandro Colomar (man-pages) wrote: Hi, There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655 [[ Under "Ptrace access mode checking", the documentation states: "1. If the calling thread and the target thread are in the same thread group, access is always allowed." This is incorrect. A thread may never attach to another in the same group. Reference, ptrace_attach() https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/ptrace.c?h=v5.9.14#n380 ]] I just wanted to make sure that it is a bug in the manual page, and not in the implementation. Thanks, Alex
[Bug 210655] ptrace.2: documentation is incorrect about access checking threads in same thread group
Hi, There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655 [[ Under "Ptrace access mode checking", the documentation states: "1. If the calling thread and the target thread are in the same thread group, access is always allowed." This is incorrect. A thread may never attach to another in the same group. Reference, ptrace_attach() https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/ptrace.c?h=v5.9.14#n380 ]] I just wanted to make sure that it is a bug in the manual page, and not in the implementation. Thanks, Alex -- Alejandro Colomar Linux man-pages comaintainer; https://www.kernel.org/doc/man-pages/ http://www.alejandro-colomar.es
