Smack: adds smackfs/ptrace interface

This allows to limit ptrace beyond the regular smack access rules. It adds a smackfs/ptrace interface that allows smack to be configured to require equal smack labels for PTRACE_MODE_ATTACH access. See the changes in Documentation/security/Smack.txt below for details. Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com> Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
2014-03-11 17:07:06 +01:00
parent 5663884caa
commit 6686781852
5 changed files with 118 additions and 2 deletions
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -176,6 +176,14 @@ struct smk_port_label {
 */
 #define SMACK_CIPSO_MAXCATNUM           184     /* 23 * 8 */

+/*
+ * Ptrace rules
+ */
+#define SMACK_PTRACE_DEFAULT	0
+#define SMACK_PTRACE_EXACT	1
+#define SMACK_PTRACE_DRACONIAN	2
+#define SMACK_PTRACE_MAX	SMACK_PTRACE_DRACONIAN
+
 /*
 * Flags for untraditional access modes.
 * It shouldn't be necessary to avoid conflicts with definitions
@@ -245,6 +253,7 @@ extern struct smack_known *smack_net_ambient;
 extern struct smack_known *smack_onlycap;
 extern struct smack_known *smack_syslog_label;
 extern const char *smack_cipso_option;
+extern int smack_ptrace_rule;

 extern struct smack_known smack_known_floor;
 extern struct smack_known smack_known_hat;