diff options
| author | John Johansen <john.johansen@canonical.com> | 2018-06-07 03:45:30 -0400 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2018-06-07 04:51:02 -0400 |
| commit | 338d0be437ef10e247a35aed83dbab182cf406a2 (patch) | |
| tree | a35737ad4aff38dbb6f9b228ee1999fb8b51b894 | |
| parent | 3ddae9876a7045a8d08ab372eff232a5da5199b8 (diff) | |
apparmor: fix ptrace read check
The ptrace read check is incorrect resulting in policy that is
broader than it needs to be. Fix the check so that read access
permission can be properly detected when other ptrace flags are
set.
Fixes: b2d09ae449ce ("apparmor: move ptrace checks to using labels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
| -rw-r--r-- | security/apparmor/lsm.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index e35d12883990..74f17376202b 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c | |||
| @@ -117,7 +117,8 @@ static int apparmor_ptrace_access_check(struct task_struct *child, | |||
| 117 | tracer = begin_current_label_crit_section(); | 117 | tracer = begin_current_label_crit_section(); |
| 118 | tracee = aa_get_task_label(child); | 118 | tracee = aa_get_task_label(child); |
| 119 | error = aa_may_ptrace(tracer, tracee, | 119 | error = aa_may_ptrace(tracer, tracee, |
| 120 | mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE); | 120 | (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ |
| 121 | : AA_PTRACE_TRACE); | ||
| 121 | aa_put_label(tracee); | 122 | aa_put_label(tracee); |
| 122 | end_current_label_crit_section(tracer); | 123 | end_current_label_crit_section(tracer); |
| 123 | 124 | ||