- SELinux apply a different permission to ptrace a child vs non-child

- Reenable debug

config-generic

@@ -1464,13 +1464,13 @@ CONFIG_B43_SDIO=y
 CONFIG_B43_BCMA=y
 # CONFIG_B43_BCMA_EXTRA is not set
 CONFIG_B43_BCMA_PIO=y
-# CONFIG_B43_DEBUG is not set
+CONFIG_B43_DEBUG=y
 CONFIG_B43_PHY_LP=y
 CONFIG_B43_PHY_N=y
 CONFIG_B43_PHY_HT=y
 # CONFIG_B43_FORCE_PIO is not set
 CONFIG_B43LEGACY=m
-# CONFIG_B43LEGACY_DEBUG is not set
+CONFIG_B43LEGACY_DEBUG=y
 CONFIG_B43LEGACY_DMA=y
 CONFIG_B43LEGACY_PIO=y
 CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y
@@ -3054,7 +3054,7 @@ CONFIG_USB_STORAGE_REALTEK=m
 CONFIG_REALTEK_AUTOPM=y
 CONFIG_USB_STORAGE_ENE_UB6250=m
 # CONFIG_USB_LIBUSUAL is not set
-# CONFIG_USB_UAS is not set
+CONFIG_USB_UAS=m
 
 
 #
@@ -3959,7 +3959,7 @@ CONFIG_IBMASR=m
 CONFIG_PM_DEBUG=y
 CONFIG_PM_TRACE=y
 CONFIG_PM_TRACE_RTC=y
-# CONFIG_PM_TEST_SUSPEND is not set
+CONFIG_PM_TEST_SUSPEND=y
 CONFIG_PM_RUNTIME=y
 # CONFIG_PM_OPP is not set
 

config-nodebug

@@ -2,109 +2,109 @@ CONFIG_SND_VERBOSE_PRINTK=y
 CONFIG_SND_DEBUG=y
 CONFIG_SND_PCM_XRUN_DEBUG=y
 
-# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+CONFIG_DEBUG_ATOMIC_SLEEP=y
 
-# CONFIG_DEBUG_MUTEXES is not set
-# CONFIG_DEBUG_RT_MUTEXES is not set
-# CONFIG_DEBUG_LOCK_ALLOC is not set
-# CONFIG_PROVE_LOCKING is not set
-# CONFIG_DEBUG_SPINLOCK is not set
-# CONFIG_PROVE_RCU is not set
+CONFIG_DEBUG_MUTEXES=y
+CONFIG_DEBUG_RT_MUTEXES=y
+CONFIG_DEBUG_LOCK_ALLOC=y
+CONFIG_PROVE_LOCKING=y
+CONFIG_DEBUG_SPINLOCK=y
+CONFIG_PROVE_RCU=y
 # CONFIG_PROVE_RCU_REPEATEDLY is not set
-# CONFIG_DEBUG_PER_CPU_MAPS is not set
+CONFIG_DEBUG_PER_CPU_MAPS=y
 CONFIG_CPUMASK_OFFSTACK=y
 
-# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set
+CONFIG_CPU_NOTIFIER_ERROR_INJECT=m
 
-# CONFIG_FAULT_INJECTION is not set
-# CONFIG_FAILSLAB is not set
-# CONFIG_FAIL_PAGE_ALLOC is not set
-# CONFIG_FAIL_MAKE_REQUEST is not set
-# CONFIG_FAULT_INJECTION_DEBUG_FS is not set
-# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set
-# CONFIG_FAIL_IO_TIMEOUT is not set
-# CONFIG_FAIL_MMC_REQUEST is not set
+CONFIG_FAULT_INJECTION=y
+CONFIG_FAILSLAB=y
+CONFIG_FAIL_PAGE_ALLOC=y
+CONFIG_FAIL_MAKE_REQUEST=y
+CONFIG_FAULT_INJECTION_DEBUG_FS=y
+CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y
+CONFIG_FAIL_IO_TIMEOUT=y
+CONFIG_FAIL_MMC_REQUEST=y
 
-# CONFIG_SLUB_DEBUG_ON is not set
+CONFIG_SLUB_DEBUG_ON=y
 
-# CONFIG_LOCK_STAT is not set
+CONFIG_LOCK_STAT=y
 
-# CONFIG_DEBUG_STACK_USAGE is not set
+CONFIG_DEBUG_STACK_USAGE=y
 
-# CONFIG_ACPI_DEBUG is not set
+CONFIG_ACPI_DEBUG=y
 # CONFIG_ACPI_DEBUG_FUNC_TRACE is not set
 
-# CONFIG_DEBUG_SG is not set
+CONFIG_DEBUG_SG=y
 
 # CONFIG_DEBUG_PAGEALLOC is not set
 
-# CONFIG_DEBUG_WRITECOUNT is not set
-# CONFIG_DEBUG_OBJECTS is not set
+CONFIG_DEBUG_WRITECOUNT=y
+CONFIG_DEBUG_OBJECTS=y
 # CONFIG_DEBUG_OBJECTS_SELFTEST is not set
-# CONFIG_DEBUG_OBJECTS_FREE is not set
-# CONFIG_DEBUG_OBJECTS_TIMERS is not set
-# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set
+CONFIG_DEBUG_OBJECTS_FREE=y
+CONFIG_DEBUG_OBJECTS_TIMERS=y
+CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
 CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
 
-# CONFIG_X86_PTDUMP is not set
+CONFIG_X86_PTDUMP=y
 
-# CONFIG_CAN_DEBUG_DEVICES is not set
+CONFIG_CAN_DEBUG_DEVICES=y
 
-# CONFIG_MODULE_FORCE_UNLOAD is not set
+CONFIG_MODULE_FORCE_UNLOAD=y
 
-# CONFIG_SYSCTL_SYSCALL_CHECK is not set
+CONFIG_SYSCTL_SYSCALL_CHECK=y
 
-# CONFIG_DEBUG_NOTIFIERS is not set
+CONFIG_DEBUG_NOTIFIERS=y
 
-# CONFIG_DMA_API_DEBUG is not set
+CONFIG_DMA_API_DEBUG=y
 
-# CONFIG_MMIOTRACE is not set
+CONFIG_MMIOTRACE=y
 
-# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_DEBUG_CREDENTIALS=y
 
 # off in both production debug and nodebug builds,
 #  on in rawhide nodebug builds
-# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y
 
-# CONFIG_EXT4_DEBUG is not set
+CONFIG_EXT4_DEBUG=y
 
-# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_DEBUG_PERF_USE_VMALLOC=y
 
-# CONFIG_JBD2_DEBUG is not set
+CONFIG_JBD2_DEBUG=y
 
-# CONFIG_DEBUG_BLK_CGROUP is not set
+CONFIG_DEBUG_BLK_CGROUP=y
 
-# CONFIG_DRBD_FAULT_INJECTION is not set
+CONFIG_DRBD_FAULT_INJECTION=y
 
-# CONFIG_ATH_DEBUG is not set
-# CONFIG_CARL9170_DEBUGFS is not set
-# CONFIG_IWLWIFI_DEVICE_TRACING is not set
+CONFIG_ATH_DEBUG=y
+CONFIG_CARL9170_DEBUGFS=y
+CONFIG_IWLWIFI_DEVICE_TRACING=y
 
-# CONFIG_DEBUG_OBJECTS_WORK is not set
+CONFIG_DEBUG_OBJECTS_WORK=y
 
-# CONFIG_DMADEVICES_DEBUG is not set
-# CONFIG_DMADEVICES_VDEBUG is not set
+CONFIG_DMADEVICES_DEBUG=y
+CONFIG_DMADEVICES_VDEBUG=y
 
 CONFIG_PM_ADVANCED_DEBUG=y
 
-# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
-# CONFIG_QUOTA_DEBUG is not set
+CONFIG_CEPH_LIB_PRETTYDEBUG=y
+CONFIG_QUOTA_DEBUG=y
 
 CONFIG_PCI_DEFAULT_USE_CRS=y
 
 CONFIG_KGDB_KDB=y
 CONFIG_KDB_KEYBOARD=y
 
-# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set
-# CONFIG_TEST_LIST_SORT is not set
+CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
+CONFIG_TEST_LIST_SORT=y
 
-# CONFIG_DETECT_HUNG_TASK is not set
+CONFIG_DETECT_HUNG_TASK=y
 CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
 
-# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set
+CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
 
-# CONFIG_DEBUG_KMEMLEAK is not set
+CONFIG_DEBUG_KMEMLEAK=y
 CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
 # CONFIG_DEBUG_KMEMLEAK_TEST is not set
 CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y

config-x86-generic

@@ -313,7 +313,7 @@ CONFIG_STRICT_DEVMEM=y
 # CONFIG_NO_BOOTMEM is not set
 
 # CONFIG_MEMTEST is not set
-# CONFIG_MAXSMP is not set
+CONFIG_MAXSMP=y
 
 
 CONFIG_HP_ILO=m

kernel.spec

@@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 2
+%global baserelease 3
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -163,7 +163,7 @@ Summary: The Linux kernel
 # Set debugbuildsenabled to 1 for production (build separate debug kernels)
 #  and 0 for rawhide (all kernels are debug kernels).
 # See also 'make debug' and 'make release'.
-%define debugbuildsenabled 1
+%define debugbuildsenabled 0
 
 # Want to build a vanilla kernel build without any non-upstream patches?
 %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0}
@@ -176,7 +176,7 @@ Summary: The Linux kernel
 %define doc_build_fail true
 %endif
 
-%define rawhide_skip_docs 0
+%define rawhide_skip_docs 1
 %if 0%{?rawhide_skip_docs}
 %define with_doc 0
 %define doc_build_fail true
@@ -746,6 +746,9 @@ Patch21400: unhandled-irqs-switch-to-polling.patch
 
 Patch22000: weird-root-dentry-name-debug.patch
 
+#selinux ptrace child permissions
+Patch22001: selinux-apply-different-permission-to-ptrace-child.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1429,6 +1432,9 @@ ApplyPatch unhandled-irqs-switch-to-polling.patch
 
 ApplyPatch weird-root-dentry-name-debug.patch
 
+#selinux ptrace child permissions
+ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch
+
 #Highbank clock functions
 ApplyPatch highbank-export-clock-functions.patch 
 
@@ -2293,6 +2299,12 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Mon Apr 09 2012 Justin M. Forbes <jforbes@redhat.com> - 3.4.0-0.rc2.git0.3
+- Reenable debugging options.
+
+* Mon Apr 09 2012 Justin M. Forbes <jforbes@redhat.com>
+- SELinux apply a different permission to ptrace a child vs non-child
+
 * Mon Apr 09 2012 Justin M. Forbes <jforbes@redhat.com> - 3.4.0-0.rc2.git0.2
 - Disable debugging options.
 

selinux-apply-different-permission-to-ptrace-child.patch

@@ -0,0 +1,162 @@
+Some applications, like gdb, are able to ptrace both children or other
+completely unrelated tasks.  We would like to be able to discern these two
+things and to be able to allow gdb to ptrace it's children, but not to be
+able to ptrace unrelated tasks for security reasons.
+
+Upstream is a bit weary of this patch as it may be incomplete.  They are
+not fundamentally opposed to the patch, I was just ask to see if I could
+flush out any needed refinement in Fedora where we already had the
+problem.  We may find that we need to emulate the YAMA non-child
+registration module in order to completely deal with 'normal' ptrace on
+a system.  At the moment however, this patch will at least let us get
+gdb working for many users in Fedora (See fedora-devel-list for a
+discussion of the current issues people are complaining about in F17
+without this)
+
+---
+
+ security/selinux/hooks.c            |   38 +++++++++++++++++++++++++++++++++++
+ security/selinux/include/classmap.h |    2 +-
+ security/selinux/include/security.h |    2 ++
+ security/selinux/selinuxfs.c        |    3 ++-
+ security/selinux/ss/services.c      |    3 +++
+ 5 files changed, 46 insertions(+), 2 deletions(-)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 1a4acf4..b226f26 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -1805,6 +1805,39 @@ static inline u32 open_file_to_av(struct file *file)
+ 
+ /* Hook functions begin here. */
+ 
++/**
++ * task_is_descendant - walk up a process family tree looking for a match
++ * @parent: the process to compare against while walking up from child
++ * @child: the process to start from while looking upwards for parent
++ *
++ * Returns 1 if child is a descendant of parent, 0 if not.
++ */
++static int task_is_descendant(struct task_struct *parent,
++			      struct task_struct *child)
++{
++	int rc = 0;
++	struct task_struct *walker = child;
++
++	if (!parent || !child)
++		return 0;
++
++	rcu_read_lock();
++	if (!thread_group_leader(parent))
++		parent = rcu_dereference(parent->group_leader);
++	while (walker->pid > 0) {
++		if (!thread_group_leader(walker))
++			walker = rcu_dereference(walker->group_leader);
++		if (walker == parent) {
++			rc = 1;
++			break;
++		}
++		walker = rcu_dereference(walker->real_parent);
++	}
++	rcu_read_unlock();
++
++	return rc;
++}
++
+ static int selinux_ptrace_access_check(struct task_struct *child,
+ 				     unsigned int mode)
+ {
+@@ -1820,6 +1853,9 @@ static int selinux_ptrace_access_check(struct task_struct *child,
+ 		return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
+ 	}
+ 
++
++	if (selinux_policycap_ptrace_child && task_is_descendant(current, child))
++		return current_has_perm(child, PROCESS__PTRACE_CHILD);
+ 	return current_has_perm(child, PROCESS__PTRACE);
+ }
+ 
+@@ -1831,6 +1867,8 @@ static int selinux_ptrace_traceme(struct task_struct *parent)
+ 	if (rc)
+ 		return rc;
+ 
++	if (selinux_policycap_ptrace_child && task_is_descendant(parent, current))
++		return task_has_perm(parent, current, PROCESS__PTRACE_CHILD);
+ 	return task_has_perm(parent, current, PROCESS__PTRACE);
+ }
+ 
+diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
+index 39e678c..72c08b9 100644
+--- a/security/selinux/include/classmap.h
++++ b/security/selinux/include/classmap.h
+@@ -29,7 +29,7 @@ struct security_class_mapping secclass_map[] = {
+ 	    "getattr", "setexec", "setfscreate", "noatsecure", "siginh",
+ 	    "setrlimit", "rlimitinh", "dyntransition", "setcurrent",
+ 	    "execmem", "execstack", "execheap", "setkeycreate",
+-	    "setsockcreate", NULL } },
++	    "setsockcreate", "ptrace_child", NULL } },
+ 	{ "system",
+ 	  { "ipc_info", "syslog_read", "syslog_mod",
+ 	    "syslog_console", "module_request", NULL } },
+diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
+index dde2005..ac14b0a 100644
+--- a/security/selinux/include/security.h
++++ b/security/selinux/include/security.h
+@@ -68,12 +68,14 @@ extern int selinux_enabled;
+ enum {
+ 	POLICYDB_CAPABILITY_NETPEER,
+ 	POLICYDB_CAPABILITY_OPENPERM,
++	POLICYDB_CAPABILITY_PTRACE_CHILD,
+ 	__POLICYDB_CAPABILITY_MAX
+ };
+ #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
+ 
+ extern int selinux_policycap_netpeer;
+ extern int selinux_policycap_openperm;
++extern int selinux_policycap_ptrace_child;
+ 
+ /*
+  * type_datum properties
+diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
+index 4e93f9e..3379765 100644
+--- a/security/selinux/selinuxfs.c
++++ b/security/selinux/selinuxfs.c
+@@ -44,7 +44,8 @@
+ /* Policy capability filenames */
+ static char *policycap_names[] = {
+ 	"network_peer_controls",
+-	"open_perms"
++	"open_perms",
++	"ptrace_child",
+ };
+ 
+ unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
+diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
+index 9b7e7ed..4d12a6e 100644
+--- a/security/selinux/ss/services.c
++++ b/security/selinux/ss/services.c
+@@ -72,6 +72,7 @@
+ 
+ int selinux_policycap_netpeer;
+ int selinux_policycap_openperm;
++int selinux_policycap_ptrace_child;
+ 
+ static DEFINE_RWLOCK(policy_rwlock);
+ 
+@@ -1812,6 +1813,8 @@ static void security_load_policycaps(void)
+ 						  POLICYDB_CAPABILITY_NETPEER);
+ 	selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
+ 						  POLICYDB_CAPABILITY_OPENPERM);
++	selinux_policycap_ptrace_child = ebitmap_get_bit(&policydb.policycaps,
++						  POLICYDB_CAPABILITY_PTRACE_CHILD);
+ }
+ 
+ static int security_preserve_bools(struct policydb *p);
+
+
+
+
+_______________________________________________
+kernel mailing list
+kernel@lists.fedoraproject.org
+https://admin.fedoraproject.org/mailman/listinfo/kernel