4 files changed, 15 insertions, 6 deletions

diff --git a/fs/proc/array.c b/fs/proc/array.c
index 3a1dafd228d1..ddffd7a88b97 100644
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -380,7 +380,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
 
         state = *get_task_state(task);
         vsize = eip = esp = 0;
-        permitted = ptrace_may_access(task, PTRACE_MODE_READ);
+        permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);
         mm = get_task_mm(task);
         if (mm) {
                 vsize = task_vsize(mm);
diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h
index 800f113bea66..a27e56ca41a4 100644
--- a/include/linux/ptrace.h
+++ b/include/linux/ptrace.h
@@ -127,8 +127,9 @@ extern void __ptrace_link(struct task_struct *child,
                           struct task_struct *new_parent);
 extern void __ptrace_unlink(struct task_struct *child);
 extern void exit_ptrace(struct task_struct *tracer);
-#define PTRACE_MODE_READ   1
-#define PTRACE_MODE_ATTACH 2
+#define PTRACE_MODE_READ        0x01
+#define PTRACE_MODE_ATTACH      0x02
+#define PTRACE_MODE_NOAUDIT     0x04
 /* Returns 0 on success, -errno on denial. */
 extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
 /* Returns true on success, false on denial. */
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 210bbf045ee9..c890ac9a7962 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -161,6 +161,14 @@ int ptrace_check_attach(struct task_struct *child, bool ignore_state)
         return ret;
 }
 
+static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
+{
+        if (mode & PTRACE_MODE_NOAUDIT)
+                return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
+        else
+                return has_ns_capability(current, ns, CAP_SYS_PTRACE);
+}
+
 int __ptrace_may_access(struct task_struct *task, unsigned int mode)
 {
         const struct cred *cred = current_cred(), *tcred;
@@ -187,7 +195,7 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode)
              cred->gid == tcred->sgid &&
              cred->gid == tcred->gid))
                 goto ok;
-        if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
+        if (ptrace_has_cap(tcred->user->user_ns, mode))
                 goto ok;
         rcu_read_unlock();
         return -EPERM;
@@ -196,7 +204,7 @@ ok:
         smp_rmb();
         if (task->mm)
                 dumpable = get_dumpable(task->mm);
-        if (!dumpable && !ns_capable(task_user_ns(task), CAP_SYS_PTRACE))
+        if (!dumpable  && !ptrace_has_cap(task_user_ns(task), mode))
                 return -EPERM;
 
         return security_ptrace_access_check(task, mode);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c9605c4a2e08..14f94cd29c80 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1809,7 +1809,7 @@ static int selinux_ptrace_access_check(struct task_struct *child,
         if (rc)
                 return rc;
 
-        if (mode == PTRACE_MODE_READ) {
+        if (mode & PTRACE_MODE_READ) {
                 u32 sid = current_sid();
                 u32 csid = task_sid(child);
                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);