git.samba.org / sfrench / cifs-2.6.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge commit 'v3.15' into next
[sfrench/cifs-2.6.git] / Documentation / security / Smack.txt
diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt
index 5ea996f21d6c91734b5196e2d62c34a537379fec..b6ef7e9dba30f52a0c0c222a08158fa543bef211 100644 (file)
--- a/Documentation/security/Smack.txt
+++ b/Documentation/security/Smack.txt
@@ -204,6 +204,16 @@ onlycap
        these capabilities are effective at for processes with any
        label. The value is set by writing the desired label to the
        file or cleared by writing "-" to the file.
+ptrace
+       This is used to define the current ptrace policy
+       0 - default: this is the policy that relies on smack access rules.
+           For the PTRACE_READ a subject needs to have a read access on
+           object. For the PTRACE_ATTACH a read-write access is required.
+       1 - exact: this is the policy that limits PTRACE_ATTACH. Attach is
+           only allowed when subject's and object's labels are equal.
+           PTRACE_READ is not affected. Can be overriden with CAP_SYS_PTRACE.
+       2 - draconian: this policy behaves like the 'exact' above with an
+           exception that it can't be overriden with CAP_SYS_PTRACE.
 revoke-subject
        Writing a Smack label here sets the access to '-' for all access
        rules with that subject label.
Unnamed repository; edit this file 'description' to name the repository.