Yama: add PR_SET_PTRACER_ANY

For a process to entirely disable ptrace restrictions, it can use the
special PR_SET_PTRACER_ANY pid to indicate that any otherwise allowed
process may ptrace it. This is stronger than calling PR_SET_PTRACER with
pid "1" because it includes processes in external pid namespaces.

BUG=chromium-os:25271
TEST=x86-alex build, boot, passes updated security_ptraceRestrictions.
STATUS=Fixed

Change-Id: I7a09a388f7b9b528cada04c752174edba2cf18ea
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/14602
Reviewed-by: Mandeep Singh Baines <msb@chromium.org>
Reviewed-by: Olof Johansson <olofj@chromium.org>

diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 2bedb31..114f9c6 100644 (file)
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -224,6 +224,7 @@ static int ptracer_exception_found(struct task_struct *tracer,
                tracee = rcu_dereference(tracee->group_leader);
        list_for_each_entry(relation, &ptracer_relations, node)
                if (relation->tracee == tracee) {
+                       found = true;
                        parent = relation->tracer;
                        found = true;
                        break;