From: Tom Horsley <horsley1953@gmail.com>
To: Kees Cook <keescook@chromium.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Laura Abbott <labbott@redhat.com>,
David Howells <dhowells@redhat.com>,
James Morris <james.l.morris@oracle.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] exec: Weaken dumpability for secureexec
Date: Wed, 3 Jan 2018 14:08:08 -0500 [thread overview]
Message-ID: <20180103140808.0215ac87@tomh> (raw)
In-Reply-To: <CAGXu5jJfqWJG=kk+dkd+p2Tb0AvX2Cve0cCFjC+xYraZZQTzQw@mail.gmail.com>
On Wed, 3 Jan 2018 09:21:16 -0800
Kees Cook wrote:
> The more interesting thing here is that secureexec is set for a
> process that ISN'T actually setuid. (ptrace of a setuid process). I
> think tha'ts the real bug, but not something I'm going to be able to
> fix quickly. So, for now, I want to revert this, then try to fix the
> weird case, and see if that breaks anyone, then fix this back to
> secureexec.
Certainly a program file that has capabilities attached to it
via "setcap" is intended to be treated just like setuid if
the capabilities it has are a superset of the capabilities
of the debugger. (I don't know if that is a useful info in this
case, but I thought I'd mention it :-).
prev parent reply other threads:[~2018-01-03 19:08 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-02 23:21 [PATCH] exec: Weaken dumpability for secureexec Kees Cook
2018-01-03 7:04 ` Serge E. Hallyn
2018-01-03 12:11 ` Tom Horsley
2018-01-03 17:21 ` Kees Cook
2018-01-03 17:34 ` Laura Abbott
2018-01-03 7:06 ` Serge E. Hallyn
2018-01-03 17:21 ` Kees Cook
2018-01-03 17:41 ` Serge E. Hallyn
2018-01-03 19:08 ` Tom Horsley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180103140808.0215ac87@tomh \
--to=horsley1953@gmail.com \
--cc=dhowells@redhat.com \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.