diff options
| author | Takashi Iwai <tiwai@suse.de> | 2012-09-15 08:24:42 +0200 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2012-09-15 08:24:42 +0200 |
| commit | 5d037f9064a8f3b9abbe383cdfb35e159d813711 (patch) | |
| tree | 2a2445271ee818c360c42408a324d2945a6dd9f7 /Documentation/security/Yama.txt | |
| parent | 64f1e00d8edb54f5d25fb0114a46050fb8340df4 (diff) | |
| parent | 985b11fa8064d55d0d5a84e68667434598911bb2 (diff) | |
Merge tag 'asoc-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linussound-3.6
ASoC: Updates for 3.6
A bigger set of updates than I'm entirely comfortable with - things
backed up a bit due to travel. As ever the majority of these are small,
focused updates for specific drivers though there are a couple of core
changes. There's been good exposure in -next.
The AT91 patch fixes a build break.
Diffstat (limited to 'Documentation/security/Yama.txt')
| -rw-r--r-- | Documentation/security/Yama.txt | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/Documentation/security/Yama.txt b/Documentation/security/Yama.txt index e369de2d48cd..dd908cf64ecf 100644 --- a/Documentation/security/Yama.txt +++ b/Documentation/security/Yama.txt @@ -46,14 +46,13 @@ restrictions, it can call prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, ...) so that any otherwise allowed process (even those in external pid namespaces) may attach. -These restrictions do not change how ptrace via PTRACE_TRACEME operates. - -The sysctl settings are: +The sysctl settings (writable only with CAP_SYS_PTRACE) are: 0 - classic ptrace permissions: a process can PTRACE_ATTACH to any other process running under the same uid, as long as it is dumpable (i.e. did not transition uids, start privileged, or have called - prctl(PR_SET_DUMPABLE...) already). + prctl(PR_SET_DUMPABLE...) already). Similarly, PTRACE_TRACEME is + unchanged. 1 - restricted ptrace: a process must have a predefined relationship with the inferior it wants to call PTRACE_ATTACH on. By default, @@ -61,12 +60,13 @@ The sysctl settings are: classic criteria is also met. To change the relationship, an inferior can call prctl(PR_SET_PTRACER, debugger, ...) to declare an allowed debugger PID to call PTRACE_ATTACH on the inferior. + Using PTRACE_TRACEME is unchanged. 2 - admin-only attach: only processes with CAP_SYS_PTRACE may use ptrace - with PTRACE_ATTACH. + with PTRACE_ATTACH, or through children calling PTRACE_TRACEME. -3 - no attach: no processes may use ptrace with PTRACE_ATTACH. Once set, - this sysctl cannot be changed to a lower value. +3 - no attach: no processes may use ptrace with PTRACE_ATTACH nor via + PTRACE_TRACEME. Once set, this sysctl value cannot be changed. The original children-only logic was based on the restrictions in grsecurity. |