unfortunately the kernel actually uses ptrace_access_check for more than
just ptrace, and the LSM (and hence apparmor) is not given context as to
where the check is coming from. The current full list that can trigger
an apparmor ptrace check is below. We can discard any that are not using
a variant of MODE_READ*
the mostly likely candidate is reading proc files, but this is going to
take some more sleuthing to trace the source operation. AppArmor will
throw an EACCES so if we can setup a trace to catch that, it would be
helpful in tacking this down.
$ git grep security_ptrace_access_check
include/linux/security.h:int security_ptrace_access_check(struct task_struct
*child, unsigned int mode);
include/linux/security.h:static inline int security_ptrace_access_check(struct
task_struct *child,
kernel/ptrace.c: return security_ptrace_access_check(task, mode);
security/security.c:int security_ptrace_access_check(struct task_struct *child,
unsigned int mode)
jj@flux:~/linux-kernels/linux-2.6$ emacs kernel/ptrace.c &
[4] 9110
jj@flux:~/linux-kernels/linux-2.6$ git grep ptrace_may_access
Documentation/process/adding-syscalls.rst:``ptrace_may_access()``) so that only
a calling process with the same
Documentation/translations/it_IT/process/adding-syscalls.rst:la chiamata
``ptrace_may_access()``) di modo che solo un processo chiamante
fs/proc/array.c: permitted = ptrace_may_access(task,
PTRACE_MODE_READ_FSCREDS | PTRACE_MODE_NOAUDIT);
fs/proc/base.c: if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
fs/proc/base.c: if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_FSCREDS)) {
fs/proc/base.c: allowed = ptrace_may_access(task,
PTRACE_MODE_READ_FSCREDS);
fs/proc/base.c: return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);
fs/proc/base.c: if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
fs/proc/base.c: if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
fs/proc/base.c: if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) {
fs/proc/namespaces.c: if (ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) {
fs/proc/namespaces.c: if (ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) {
include/linux/ptrace.h: * ptrace_may_access - check whether the caller is
permitted to access
include/linux/ptrace.h:extern bool ptrace_may_access(struct task_struct *task,
unsigned int mode);
include/linux/sched/mm.h: * and ptrace_may_access with the mode parameter
passed to it
kernel/cred.c: * the credential change; otherwise, a
__ptrace_may_access()
kernel/cred.c: * Pairs with a read barrier in __ptrace_may_access().
kernel/events/core.c: if (!ptrace_may_access(task,
PTRACE_MODE_READ_REALCREDS))
kernel/fork.c: !ptrace_may_access(task, mode)) {
kernel/futex.c: if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
kernel/futex.c: if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
kernel/kcmp.c: if (!ptrace_may_access(task1, PTRACE_MODE_READ_REALCREDS) ||
kernel/kcmp.c: !ptrace_may_access(task2, PTRACE_MODE_READ_REALCREDS)) {
kernel/ptrace.c:static int __ptrace_may_access(struct task_struct *task,
unsigned int mode)
kernel/ptrace.c:bool ptrace_may_access(struct task_struct *task, unsigned int
mode)
kernel/ptrace.c: err = __ptrace_may_access(task, mode);
kernel/ptrace.c: retval = __ptrace_may_access(task,
PTRACE_MODE_ATTACH_REALCREDS);
kernel/seccomp.c: * equivalent (see ptrace_may_access), it is
safe to
mm/mempolicy.c: * Use the regular "ptrace_may_access()" checks.
mm/mempolicy.c: if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) {
mm/migrate.c: * process. Use the regular "ptrace_may_access()" checks.
mm/migrate.c: if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) {
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1872175
Title:
gpsd unable to open chrony PPS socket
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1872175/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
