Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Wed, Oct 09, 2013 at 06:27:22PM +0100, Andy Lutomirski wrote: > On Wed, Oct 9, 2013 at 11:54 AM, Djalal Harouni wrote: > > On Mon, Oct 07, 2013 at 02:41:33PM -0700, Andy Lutomirski wrote: > >> On Sat, Oct 5, 2013 at 6:23 AM, Djalal Harouni wrote: > >> > On Fri, Oct 04, 2013 at 03:17:08PM

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Wed, Oct 09, 2013 at 06:27:22PM +0100, Andy Lutomirski wrote: On Wed, Oct 9, 2013 at 11:54 AM, Djalal Harouni tix...@opendz.org wrote: On Mon, Oct 07, 2013 at 02:41:33PM -0700, Andy Lutomirski wrote: On Sat, Oct 5, 2013 at 6:23 AM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04,

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Wed, Oct 9, 2013 at 11:54 AM, Djalal Harouni wrote: > On Mon, Oct 07, 2013 at 02:41:33PM -0700, Andy Lutomirski wrote: >> On Sat, Oct 5, 2013 at 6:23 AM, Djalal Harouni wrote: >> > On Fri, Oct 04, 2013 at 03:17:08PM -0700, Andy Lutomirski wrote: >> >> >> >> Exactly. Hence the NAK. >> > But

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Wed, Oct 09, 2013 at 11:54:02AM +0100, Djalal Harouni wrote: > On Mon, Oct 07, 2013 at 02:41:33PM -0700, Andy Lutomirski wrote: > > On Sat, Oct 5, 2013 at 6:23 AM, Djalal Harouni wrote: > > > On Fri, Oct 04, 2013 at 03:17:08PM -0700, Andy Lutomirski wrote: > > >> > > >> Exactly. Hence the

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Mon, Oct 07, 2013 at 02:41:33PM -0700, Andy Lutomirski wrote: > On Sat, Oct 5, 2013 at 6:23 AM, Djalal Harouni wrote: > > On Fri, Oct 04, 2013 at 03:17:08PM -0700, Andy Lutomirski wrote: > >> > >> Exactly. Hence the NAK. > > But Having two LSM Hooks there is really not practical! > > It'd

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 04, 2013 at 05:35:22PM -0700, Eric W. Biederman wrote: > Andy Lutomirski writes: > > > On Fri, Oct 4, 2013 at 3:55 PM, Eric W. Biederman > > wrote: > >> Andy Lutomirski writes: > >> > >>> On Fri, Oct 4, 2013 at 12:41 PM, Djalal Harouni wrote: > On Fri, Oct 04, 2013 at

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 04, 2013 at 05:35:22PM -0700, Eric W. Biederman wrote: Andy Lutomirski l...@amacapital.net writes: On Fri, Oct 4, 2013 at 3:55 PM, Eric W. Biederman ebied...@xmission.com wrote: Andy Lutomirski l...@amacapital.net writes: On Fri, Oct 4, 2013 at 12:41 PM, Djalal Harouni

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Mon, Oct 07, 2013 at 02:41:33PM -0700, Andy Lutomirski wrote: On Sat, Oct 5, 2013 at 6:23 AM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 03:17:08PM -0700, Andy Lutomirski wrote: Exactly. Hence the NAK. But Having two LSM Hooks there is really not practical!

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Wed, Oct 09, 2013 at 11:54:02AM +0100, Djalal Harouni wrote: On Mon, Oct 07, 2013 at 02:41:33PM -0700, Andy Lutomirski wrote: On Sat, Oct 5, 2013 at 6:23 AM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 03:17:08PM -0700, Andy Lutomirski wrote: Exactly. Hence the

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Wed, Oct 9, 2013 at 11:54 AM, Djalal Harouni tix...@opendz.org wrote: On Mon, Oct 07, 2013 at 02:41:33PM -0700, Andy Lutomirski wrote: On Sat, Oct 5, 2013 at 6:23 AM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 03:17:08PM -0700, Andy Lutomirski wrote: Exactly. Hence

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Sat, Oct 5, 2013 at 6:23 AM, Djalal Harouni wrote: > On Fri, Oct 04, 2013 at 03:17:08PM -0700, Andy Lutomirski wrote: >> >> Exactly. Hence the NAK. > But Having two LSM Hooks there is really not practical! It'd doable *if* it turns out that it's the right solution. But revoke seems much

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Sat, Oct 5, 2013 at 6:23 AM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 03:17:08PM -0700, Andy Lutomirski wrote: Exactly. Hence the NAK. But Having two LSM Hooks there is really not practical! It'd doable *if* it turns out that it's the right solution. But revoke

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 04, 2013 at 03:17:08PM -0700, Andy Lutomirski wrote: > On Fri, Oct 4, 2013 at 12:41 PM, Djalal Harouni wrote: > > On Fri, Oct 04, 2013 at 12:32:09PM -0700, Andy Lutomirski wrote: > >> On Fri, Oct 4, 2013 at 12:27 PM, Djalal Harouni wrote: > >> > On Fri, Oct 04, 2013 at 12:16:26PM

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 04, 2013 at 03:17:08PM -0700, Andy Lutomirski wrote: On Fri, Oct 4, 2013 at 12:41 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 12:32:09PM -0700, Andy Lutomirski wrote: On Fri, Oct 4, 2013 at 12:27 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

Andy Lutomirski writes: > On Fri, Oct 4, 2013 at 3:55 PM, Eric W. Biederman > wrote: >> Andy Lutomirski writes: >> >>> On Fri, Oct 4, 2013 at 12:41 PM, Djalal Harouni wrote: On Fri, Oct 04, 2013 at 12:32:09PM -0700, Andy Lutomirski wrote: > On Fri, Oct 4, 2013 at 12:27 PM, Djalal

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 4, 2013 at 3:59 PM, Andy Lutomirski wrote: > > I'd really like a solution where there are no read or write > implementations in the entire kernel that check permissions. Failing > that, just getting it for procfs would be nice. (uid_map, etc will > probably need to be revoked on

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 4, 2013 at 3:55 PM, Eric W. Biederman wrote: > Andy Lutomirski writes: > >> On Fri, Oct 4, 2013 at 12:41 PM, Djalal Harouni wrote: >>> On Fri, Oct 04, 2013 at 12:32:09PM -0700, Andy Lutomirski wrote: On Fri, Oct 4, 2013 at 12:27 PM, Djalal Harouni wrote: > > So sorry

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

Andy Lutomirski writes: > On Fri, Oct 4, 2013 at 12:41 PM, Djalal Harouni wrote: >> On Fri, Oct 04, 2013 at 12:32:09PM -0700, Andy Lutomirski wrote: >>> On Fri, Oct 4, 2013 at 12:27 PM, Djalal Harouni wrote: >>> > So sorry Andy, I don't follow what you are describing. >>> >>> And what

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 4, 2013 at 12:41 PM, Djalal Harouni wrote: > On Fri, Oct 04, 2013 at 12:32:09PM -0700, Andy Lutomirski wrote: >> On Fri, Oct 4, 2013 at 12:27 PM, Djalal Harouni wrote: >> > On Fri, Oct 04, 2013 at 12:16:26PM -0700, Andy Lutomirski wrote: >> >> On Fri, Oct 4, 2013 at 12:11 PM, Djalal

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 04, 2013 at 12:32:09PM -0700, Andy Lutomirski wrote: > On Fri, Oct 4, 2013 at 12:27 PM, Djalal Harouni wrote: > > On Fri, Oct 04, 2013 at 12:16:26PM -0700, Andy Lutomirski wrote: > >> On Fri, Oct 4, 2013 at 12:11 PM, Djalal Harouni wrote: > >> > On Fri, Oct 04, 2013 at 07:34:08PM

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 4, 2013 at 12:27 PM, Djalal Harouni wrote: > On Fri, Oct 04, 2013 at 12:16:26PM -0700, Andy Lutomirski wrote: >> On Fri, Oct 4, 2013 at 12:11 PM, Djalal Harouni wrote: >> > On Fri, Oct 04, 2013 at 07:34:08PM +0100, Andy Lutomirski wrote: >> >> On Fri, Oct 4, 2013 at 7:23 PM, Djalal

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 04, 2013 at 12:16:26PM -0700, Andy Lutomirski wrote: > On Fri, Oct 4, 2013 at 12:11 PM, Djalal Harouni wrote: > > On Fri, Oct 04, 2013 at 07:34:08PM +0100, Andy Lutomirski wrote: > >> On Fri, Oct 4, 2013 at 7:23 PM, Djalal Harouni wrote: > >> > On Fri, Oct 04, 2013 at 04:40:01PM

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 4, 2013 at 12:11 PM, Djalal Harouni wrote: > On Fri, Oct 04, 2013 at 07:34:08PM +0100, Andy Lutomirski wrote: >> On Fri, Oct 4, 2013 at 7:23 PM, Djalal Harouni wrote: >> > On Fri, Oct 04, 2013 at 04:40:01PM +0100, Andy Lutomirski wrote: >> >> On Fri, Oct 4, 2013 at 9:59 AM, Djalal

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 04, 2013 at 07:34:08PM +0100, Andy Lutomirski wrote: > On Fri, Oct 4, 2013 at 7:23 PM, Djalal Harouni wrote: > > On Fri, Oct 04, 2013 at 04:40:01PM +0100, Andy Lutomirski wrote: > >> On Fri, Oct 4, 2013 at 9:59 AM, Djalal Harouni wrote: > >> > On Thu, Oct 03, 2013 at 02:09:55PM

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 4, 2013 at 7:23 PM, Djalal Harouni wrote: > On Fri, Oct 04, 2013 at 04:40:01PM +0100, Andy Lutomirski wrote: >> On Fri, Oct 4, 2013 at 9:59 AM, Djalal Harouni wrote: >> > On Thu, Oct 03, 2013 at 02:09:55PM -0700, Andy Lutomirski wrote: >> >> On Thu, Oct 3, 2013 at 1:13 PM, Djalal

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 04, 2013 at 04:40:01PM +0100, Andy Lutomirski wrote: > On Fri, Oct 4, 2013 at 9:59 AM, Djalal Harouni wrote: > > On Thu, Oct 03, 2013 at 02:09:55PM -0700, Andy Lutomirski wrote: > >> On Thu, Oct 3, 2013 at 1:13 PM, Djalal Harouni wrote: > >> > On Thu, Oct 03, 2013 at 12:37:49PM

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 4, 2013 at 9:59 AM, Djalal Harouni wrote: > On Thu, Oct 03, 2013 at 02:09:55PM -0700, Andy Lutomirski wrote: >> On Thu, Oct 3, 2013 at 1:13 PM, Djalal Harouni wrote: >> > On Thu, Oct 03, 2013 at 12:37:49PM -0700, Andy Lutomirski wrote: >> >> On Thu, Oct 3, 2013 at 12:29 PM, Djalal

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Thu, Oct 03, 2013 at 02:09:55PM -0700, Andy Lutomirski wrote: > On Thu, Oct 3, 2013 at 1:13 PM, Djalal Harouni wrote: > > On Thu, Oct 03, 2013 at 12:37:49PM -0700, Andy Lutomirski wrote: > >> On Thu, Oct 3, 2013 at 12:29 PM, Djalal Harouni wrote: > >> > On Thu, Oct 03, 2013 at 04:12:37PM

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Thu, Oct 03, 2013 at 02:09:55PM -0700, Andy Lutomirski wrote: On Thu, Oct 3, 2013 at 1:13 PM, Djalal Harouni tix...@opendz.org wrote: On Thu, Oct 03, 2013 at 12:37:49PM -0700, Andy Lutomirski wrote: On Thu, Oct 3, 2013 at 12:29 PM, Djalal Harouni tix...@opendz.org wrote: On Thu, Oct 03,

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 4, 2013 at 9:59 AM, Djalal Harouni tix...@opendz.org wrote: On Thu, Oct 03, 2013 at 02:09:55PM -0700, Andy Lutomirski wrote: On Thu, Oct 3, 2013 at 1:13 PM, Djalal Harouni tix...@opendz.org wrote: On Thu, Oct 03, 2013 at 12:37:49PM -0700, Andy Lutomirski wrote: On Thu, Oct 3,

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 04, 2013 at 04:40:01PM +0100, Andy Lutomirski wrote: On Fri, Oct 4, 2013 at 9:59 AM, Djalal Harouni tix...@opendz.org wrote: On Thu, Oct 03, 2013 at 02:09:55PM -0700, Andy Lutomirski wrote: On Thu, Oct 3, 2013 at 1:13 PM, Djalal Harouni tix...@opendz.org wrote: On Thu, Oct 03,

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 4, 2013 at 7:23 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 04:40:01PM +0100, Andy Lutomirski wrote: On Fri, Oct 4, 2013 at 9:59 AM, Djalal Harouni tix...@opendz.org wrote: On Thu, Oct 03, 2013 at 02:09:55PM -0700, Andy Lutomirski wrote: On Thu, Oct 3,

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 04, 2013 at 07:34:08PM +0100, Andy Lutomirski wrote: On Fri, Oct 4, 2013 at 7:23 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 04:40:01PM +0100, Andy Lutomirski wrote: On Fri, Oct 4, 2013 at 9:59 AM, Djalal Harouni tix...@opendz.org wrote: On Thu, Oct 03,

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 4, 2013 at 12:11 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 07:34:08PM +0100, Andy Lutomirski wrote: On Fri, Oct 4, 2013 at 7:23 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 04:40:01PM +0100, Andy Lutomirski wrote: On Fri, Oct 4,

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 04, 2013 at 12:16:26PM -0700, Andy Lutomirski wrote: On Fri, Oct 4, 2013 at 12:11 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 07:34:08PM +0100, Andy Lutomirski wrote: On Fri, Oct 4, 2013 at 7:23 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04,

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 4, 2013 at 12:27 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 12:16:26PM -0700, Andy Lutomirski wrote: On Fri, Oct 4, 2013 at 12:11 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 07:34:08PM +0100, Andy Lutomirski wrote: On Fri, Oct 4,

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 04, 2013 at 12:32:09PM -0700, Andy Lutomirski wrote: On Fri, Oct 4, 2013 at 12:27 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 12:16:26PM -0700, Andy Lutomirski wrote: On Fri, Oct 4, 2013 at 12:11 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 4, 2013 at 12:41 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 12:32:09PM -0700, Andy Lutomirski wrote: On Fri, Oct 4, 2013 at 12:27 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 12:16:26PM -0700, Andy Lutomirski wrote: On Fri, Oct 4,

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

Andy Lutomirski l...@amacapital.net writes: On Fri, Oct 4, 2013 at 12:41 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 12:32:09PM -0700, Andy Lutomirski wrote: On Fri, Oct 4, 2013 at 12:27 PM, Djalal Harouni tix...@opendz.org wrote: So sorry Andy, I don't follow what

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 4, 2013 at 3:55 PM, Eric W. Biederman ebied...@xmission.com wrote: Andy Lutomirski l...@amacapital.net writes: On Fri, Oct 4, 2013 at 12:41 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 12:32:09PM -0700, Andy Lutomirski wrote: On Fri, Oct 4, 2013 at 12:27 PM,

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Fri, Oct 4, 2013 at 3:59 PM, Andy Lutomirski l...@amacapital.net wrote: I'd really like a solution where there are no read or write implementations in the entire kernel that check permissions. Failing that, just getting it for procfs would be nice. (uid_map, etc will probably need to be

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

Andy Lutomirski l...@amacapital.net writes: On Fri, Oct 4, 2013 at 3:55 PM, Eric W. Biederman ebied...@xmission.com wrote: Andy Lutomirski l...@amacapital.net writes: On Fri, Oct 4, 2013 at 12:41 PM, Djalal Harouni tix...@opendz.org wrote: On Fri, Oct 04, 2013 at 12:32:09PM -0700, Andy

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Thu, Oct 3, 2013 at 1:13 PM, Djalal Harouni wrote: > On Thu, Oct 03, 2013 at 12:37:49PM -0700, Andy Lutomirski wrote: >> On Thu, Oct 3, 2013 at 12:29 PM, Djalal Harouni wrote: >> > On Thu, Oct 03, 2013 at 04:12:37PM +0100, Andy Lutomirski wrote: >> >> On Thu, Oct 3, 2013 at 3:36 PM, Djalal

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Thu, Oct 03, 2013 at 12:37:49PM -0700, Andy Lutomirski wrote: > On Thu, Oct 3, 2013 at 12:29 PM, Djalal Harouni wrote: > > On Thu, Oct 03, 2013 at 04:12:37PM +0100, Andy Lutomirski wrote: > >> On Thu, Oct 3, 2013 at 3:36 PM, Djalal Harouni wrote: > >> > On Wed, Oct 02, 2013 at 05:44:17PM

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Thu, Oct 3, 2013 at 12:29 PM, Djalal Harouni wrote: > On Thu, Oct 03, 2013 at 04:12:37PM +0100, Andy Lutomirski wrote: >> On Thu, Oct 3, 2013 at 3:36 PM, Djalal Harouni wrote: >> > On Wed, Oct 02, 2013 at 05:44:17PM +0100, Andy Lutomirski wrote: >> >> On Wed, Oct 2, 2013 at 3:55 PM, Djalal

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

eds to get called. (Think > about setcap'd programs instead of setuid programs.) Yes, I already did this, not only setuid, capabilities also are handled See the whole patch, please! Yes, and speaking about LSMs I've mentioned in my patches and doc, that the proposed function proc_allow_access() should be used after

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Thu, Oct 3, 2013 at 3:36 PM, Djalal Harouni wrote: > On Wed, Oct 02, 2013 at 05:44:17PM +0100, Andy Lutomirski wrote: >> On Wed, Oct 2, 2013 at 3:55 PM, Djalal Harouni wrote: >> > On Tue, Oct 01, 2013 at 06:36:34PM -0700, Andy Lutomirski wrote: >> >> On 10/01/2013 01:26 PM, Djalal Harouni

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Wed, Oct 02, 2013 at 05:44:17PM +0100, Andy Lutomirski wrote: > On Wed, Oct 2, 2013 at 3:55 PM, Djalal Harouni wrote: > > On Tue, Oct 01, 2013 at 06:36:34PM -0700, Andy Lutomirski wrote: > >> On 10/01/2013 01:26 PM, Djalal Harouni wrote: > >> > Since /proc entries varies at runtime, permission

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Wed, Oct 02, 2013 at 05:44:17PM +0100, Andy Lutomirski wrote: On Wed, Oct 2, 2013 at 3:55 PM, Djalal Harouni tix...@opendz.org wrote: On Tue, Oct 01, 2013 at 06:36:34PM -0700, Andy Lutomirski wrote: On 10/01/2013 01:26 PM, Djalal Harouni wrote: Since /proc entries varies at runtime,

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Thu, Oct 3, 2013 at 3:36 PM, Djalal Harouni tix...@opendz.org wrote: On Wed, Oct 02, 2013 at 05:44:17PM +0100, Andy Lutomirski wrote: On Wed, Oct 2, 2013 at 3:55 PM, Djalal Harouni tix...@opendz.org wrote: On Tue, Oct 01, 2013 at 06:36:34PM -0700, Andy Lutomirski wrote: On 10/01/2013

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

) of cap_ptrace_access_check() If this previous proc_same_open_cred() returns 0 (cred have changed) goto (2) [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task proc_allow_access() returns 1 on success 2) It does the uid/gid checks which is complete

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Thu, Oct 3, 2013 at 12:29 PM, Djalal Harouni tix...@opendz.org wrote: On Thu, Oct 03, 2013 at 04:12:37PM +0100, Andy Lutomirski wrote: On Thu, Oct 3, 2013 at 3:36 PM, Djalal Harouni tix...@opendz.org wrote: On Wed, Oct 02, 2013 at 05:44:17PM +0100, Andy Lutomirski wrote: On Wed, Oct 2,

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Thu, Oct 03, 2013 at 12:37:49PM -0700, Andy Lutomirski wrote: On Thu, Oct 3, 2013 at 12:29 PM, Djalal Harouni tix...@opendz.org wrote: On Thu, Oct 03, 2013 at 04:12:37PM +0100, Andy Lutomirski wrote: On Thu, Oct 3, 2013 at 3:36 PM, Djalal Harouni tix...@opendz.org wrote: On Wed, Oct 02,

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Thu, Oct 3, 2013 at 1:13 PM, Djalal Harouni tix...@opendz.org wrote: On Thu, Oct 03, 2013 at 12:37:49PM -0700, Andy Lutomirski wrote: On Thu, Oct 3, 2013 at 12:29 PM, Djalal Harouni tix...@opendz.org wrote: On Thu, Oct 03, 2013 at 04:12:37PM +0100, Andy Lutomirski wrote: On Thu, Oct 3,

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Wed, Oct 2, 2013 at 3:55 PM, Djalal Harouni wrote: > On Tue, Oct 01, 2013 at 06:36:34PM -0700, Andy Lutomirski wrote: >> On 10/01/2013 01:26 PM, Djalal Harouni wrote: >> > Since /proc entries varies at runtime, permission checks need to happen >> > during each system call. >> > >> > However

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Tue, Oct 01, 2013 at 06:36:34PM -0700, Andy Lutomirski wrote: > On 10/01/2013 01:26 PM, Djalal Harouni wrote: > > Since /proc entries varies at runtime, permission checks need to happen > > during each system call. > > > > However even with that /proc file descriptors can be passed to a more >

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Tue, Oct 01, 2013 at 06:36:34PM -0700, Andy Lutomirski wrote: On 10/01/2013 01:26 PM, Djalal Harouni wrote: Since /proc entries varies at runtime, permission checks need to happen during each system call. However even with that /proc file descriptors can be passed to a more

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On Wed, Oct 2, 2013 at 3:55 PM, Djalal Harouni tix...@opendz.org wrote: On Tue, Oct 01, 2013 at 06:36:34PM -0700, Andy Lutomirski wrote: On 10/01/2013 01:26 PM, Djalal Harouni wrote: Since /proc entries varies at runtime, permission checks need to happen during each system call. However

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On 10/01/2013 01:26 PM, Djalal Harouni wrote: > Since /proc entries varies at runtime, permission checks need to happen > during each system call. > > However even with that /proc file descriptors can be passed to a more > privileged process (e.g. a suid-exec) which will pass the classic >

[PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

Since /proc entries varies at runtime, permission checks need to happen during each system call. However even with that /proc file descriptors can be passed to a more privileged process (e.g. a suid-exec) which will pass the classic ptrace_may_access() permission check. The open() call will be

[PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

Since /proc entries varies at runtime, permission checks need to happen during each system call. However even with that /proc file descriptors can be passed to a more privileged process (e.g. a suid-exec) which will pass the classic ptrace_may_access() permission check. The open() call will be

Re: [PATCH v2 2/9] procfs: add proc_allow_access() to check if file's opener may access task

On 10/01/2013 01:26 PM, Djalal Harouni wrote: Since /proc entries varies at runtime, permission checks need to happen during each system call. However even with that /proc file descriptors can be passed to a more privileged process (e.g. a suid-exec) which will pass the classic