diff options
author | John Johansen <john.johansen@canonical.com> | 2017-06-09 14:22:14 -0700 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2017-06-10 17:11:41 -0700 |
commit | b2d09ae449cedc6f276ac485c013d22a97d36992 (patch) | |
tree | 3984bf515f092325a3baad20d50a3814daff9f5a /security/apparmor/lsm.c | |
parent | ca916e8e2d88e97134a313eb3100ce9c3d8fd3f2 (diff) | |
download | linux-b2d09ae449cedc6f276ac485c013d22a97d36992.tar.bz2 |
apparmor: move ptrace checks to using labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/lsm.c')
-rw-r--r-- | security/apparmor/lsm.c | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index c3e98f74268f..bf28b48bf6dd 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -104,12 +104,31 @@ static void apparmor_cred_transfer(struct cred *new, const struct cred *old) static int apparmor_ptrace_access_check(struct task_struct *child, unsigned int mode) { - return aa_ptrace(current, child, mode); + struct aa_label *tracer, *tracee; + int error; + + tracer = begin_current_label_crit_section(); + tracee = aa_get_task_label(child); + error = aa_may_ptrace(tracer, tracee, + mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE); + aa_put_label(tracee); + end_current_label_crit_section(tracer); + + return error; } static int apparmor_ptrace_traceme(struct task_struct *parent) { - return aa_ptrace(parent, current, PTRACE_MODE_ATTACH); + struct aa_label *tracer, *tracee; + int error; + + tracee = begin_current_label_crit_section(); + tracer = aa_get_task_label(parent); + error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); + aa_put_label(tracer); + end_current_label_crit_section(tracee); + + return error; } /* Derived from security/commoncap.c:cap_capget */ |