Drop long carried selinux ptraceme patch

Nobody is working on this in Fedora at the moment, and it really needs
to come from upstream.

1 files changed, 0 insertions, 162 deletions

diff --git a/selinux-apply-different-permission-to-ptrace-child.patch b/selinux-apply-different-permission-to-ptrace-child.patch
deleted file mode 100644
index 90baad840..000000000
--- a/selinux-apply-different-permission-to-ptrace-child.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-Some applications, like gdb, are able to ptrace both children or other
-completely unrelated tasks.  We would like to be able to discern these two
-things and to be able to allow gdb to ptrace it's children, but not to be
-able to ptrace unrelated tasks for security reasons.
-
-Upstream is a bit weary of this patch as it may be incomplete.  They are
-not fundamentally opposed to the patch, I was just ask to see if I could
-flush out any needed refinement in Fedora where we already had the
-problem.  We may find that we need to emulate the YAMA non-child
-registration module in order to completely deal with 'normal' ptrace on
-a system.  At the moment however, this patch will at least let us get
-gdb working for many users in Fedora (See fedora-devel-list for a
-discussion of the current issues people are complaining about in F17
-without this)
-
----
-
- security/selinux/hooks.c            |   38 +++++++++++++++++++++++++++++++++++
- security/selinux/include/classmap.h |    2 +-
- security/selinux/include/security.h |    2 ++
- security/selinux/selinuxfs.c        |    3 ++-
- security/selinux/ss/services.c      |    3 +++
- 5 files changed, 46 insertions(+), 2 deletions(-)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 1a4acf4..b226f26 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -1805,6 +1805,39 @@ static inline u32 open_file_to_av(struct file *file)
- 
- /* Hook functions begin here. */
- 
-+/**
-+ * task_is_descendant - walk up a process family tree looking for a match
-+ * @parent: the process to compare against while walking up from child
-+ * @child: the process to start from while looking upwards for parent
-+ *
-+ * Returns 1 if child is a descendant of parent, 0 if not.
-+ */
-+static int task_is_descendant(struct task_struct *parent,
-+			      struct task_struct *child)
-+{
-+	int rc = 0;
-+	struct task_struct *walker = child;
-+
-+	if (!parent || !child)
-+		return 0;
-+
-+	rcu_read_lock();
-+	if (!thread_group_leader(parent))
-+		parent = rcu_dereference(parent->group_leader);
-+	while (walker->pid > 0) {
-+		if (!thread_group_leader(walker))
-+			walker = rcu_dereference(walker->group_leader);
-+		if (walker == parent) {
-+			rc = 1;
-+			break;
-+		}
-+		walker = rcu_dereference(walker->real_parent);
-+	}
-+	rcu_read_unlock();
-+
-+	return rc;
-+}
-+
- static int selinux_ptrace_access_check(struct task_struct *child,
- 				     unsigned int mode)
- {
-@@ -1820,6 +1853,9 @@ static int selinux_ptrace_access_check(struct task_struct *child,
- 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
- 	}
- 
-+
-+	if (selinux_policycap_ptrace_child && task_is_descendant(current, child))
-+		return current_has_perm(child, PROCESS__PTRACE_CHILD);
- 	return current_has_perm(child, PROCESS__PTRACE);
- }
- 
-@@ -1831,6 +1867,8 @@ static int selinux_ptrace_traceme(struct task_struct *parent)
- 	if (rc)
- 		return rc;
- 
-+	if (selinux_policycap_ptrace_child && task_is_descendant(parent, current))
-+		return task_has_perm(parent, current, PROCESS__PTRACE_CHILD);
- 	return task_has_perm(parent, current, PROCESS__PTRACE);
- }
- 
-diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
-index 39e678c..72c08b9 100644
---- a/security/selinux/include/classmap.h
-+++ b/security/selinux/include/classmap.h
-@@ -29,7 +29,7 @@ struct security_class_mapping secclass_map[] = {
- 	    "getattr", "setexec", "setfscreate", "noatsecure", "siginh",
- 	    "setrlimit", "rlimitinh", "dyntransition", "setcurrent",
- 	    "execmem", "execstack", "execheap", "setkeycreate",
--	    "setsockcreate", NULL } },
-+	    "setsockcreate", "ptrace_child", NULL } },
- 	{ "system",
- 	  { "ipc_info", "syslog_read", "syslog_mod",
- 	    "syslog_console", "module_request", NULL } },
-diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
-index dde2005..ac14b0a 100644
---- a/security/selinux/include/security.h
-+++ b/security/selinux/include/security.h
-@@ -68,12 +68,14 @@ extern int selinux_enabled;
- enum {
- 	POLICYDB_CAPABILITY_NETPEER,
- 	POLICYDB_CAPABILITY_OPENPERM,
-+	POLICYDB_CAPABILITY_PTRACE_CHILD,
- 	__POLICYDB_CAPABILITY_MAX
- };
- #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
- 
- extern int selinux_policycap_netpeer;
- extern int selinux_policycap_openperm;
-+extern int selinux_policycap_ptrace_child;
- 
- /*
-  * type_datum properties
-diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
-index 4e93f9e..3379765 100644
---- a/security/selinux/selinuxfs.c
-+++ b/security/selinux/selinuxfs.c
-@@ -44,7 +44,8 @@
- /* Policy capability filenames */
- static char *policycap_names[] = {
- 	"network_peer_controls",
--	"open_perms"
-+	"open_perms",
-+	"ptrace_child",
- };
- 
- unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
-diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
-index 9b7e7ed..4d12a6e 100644
---- a/security/selinux/ss/services.c
-+++ b/security/selinux/ss/services.c
-@@ -72,6 +72,7 @@
- 
- int selinux_policycap_netpeer;
- int selinux_policycap_openperm;
-+int selinux_policycap_ptrace_child;
- 
- static DEFINE_RWLOCK(policy_rwlock);
- 
-@@ -1812,6 +1813,8 @@ static void security_load_policycaps(void)
- 						  POLICYDB_CAPABILITY_NETPEER);
- 	selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
- 						  POLICYDB_CAPABILITY_OPENPERM);
-+	selinux_policycap_ptrace_child = ebitmap_get_bit(&policydb.policycaps,
-+						  POLICYDB_CAPABILITY_PTRACE_CHILD);
- }
- 
- static int security_preserve_bools(struct policydb *p);
-
-
-
-
-_______________________________________________
-kernel mailing list
-kernel@lists.fedoraproject.org
-https://admin.fedoraproject.org/mailman/listinfo/kernel