1 files changed, 15 insertions, 12 deletions
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index e2302e40b360..0fc1eed28d27 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -134,21 +134,24 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode)
                return 0;
        rcu_read_lock();
        tcred = __task_cred(task);
-        if ((cred->uid != tcred->euid ||
+        if (cred->user->user_ns == tcred->user->user_ns &&
-             cred->uid != tcred->suid ||
+            (cred->uid == tcred->euid &&
-             cred->uid != tcred->uid  ||
+             cred->uid == tcred->suid &&
-             cred->gid != tcred->egid ||
+             cred->uid == tcred->uid  &&
-             cred->gid != tcred->sgid ||
+             cred->gid == tcred->egid &&
-             cred->gid != tcred->gid) &&
+             cred->gid == tcred->sgid &&
-            !capable(CAP_SYS_PTRACE)) {
+             cred->gid == tcred->gid))
-                rcu_read_unlock();
+                goto ok;
-                return -EPERM;
+        if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
-        }
+                goto ok;
+        rcu_read_unlock();
+        return -EPERM;
+ok:
        rcu_read_unlock();
        smp_rmb();
        if (task->mm)
                dumpable = get_dumpable(task->mm);
-        if (!dumpable && !capable(CAP_SYS_PTRACE))
+        if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE))
                return -EPERM;
        return security_ptrace_access_check(task, mode);
@@ -198,7 +201,7 @@ static int ptrace_attach(struct task_struct *task)
                goto unlock_tasklist;
        task->ptrace = PT_PTRACED;
-        if (capable(CAP_SYS_PTRACE))
+        if (task_ns_capable(task, CAP_SYS_PTRACE))
                task->ptrace |= PT_PTRACE_CAP;
        __ptrace_link(task, current);

diff --git a/kernel/ptrace.c b/kernel/ptrace.c index e2302e40b360..0fc1eed28d27 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c
@@ -134,21 +134,24 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode)
134	return 0;	134	return 0;
135	rcu_read_lock();	135	rcu_read_lock();
136	tcred = __task_cred(task);	136	tcred = __task_cred(task);
137	if ((cred->uid != tcred->euid \|\|	137	if (cred->user->user_ns == tcred->user->user_ns &&
138	cred->uid != tcred->suid \|\|	138	(cred->uid == tcred->euid &&
139	cred->uid != tcred->uid \|\|	139	cred->uid == tcred->suid &&
140	cred->gid != tcred->egid \|\|	140	cred->uid == tcred->uid &&
141	cred->gid != tcred->sgid \|\|	141	cred->gid == tcred->egid &&
142	cred->gid != tcred->gid) &&	142	cred->gid == tcred->sgid &&
143	!capable(CAP_SYS_PTRACE)) {	143	cred->gid == tcred->gid))
144	rcu_read_unlock();	144	goto ok;
145	return -EPERM;	145	if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
146	}	146	goto ok;
		147	rcu_read_unlock();
		148	return -EPERM;
		149	ok:
147	rcu_read_unlock();	150	rcu_read_unlock();
148	smp_rmb();	151	smp_rmb();
149	if (task->mm)	152	if (task->mm)
150	dumpable = get_dumpable(task->mm);	153	dumpable = get_dumpable(task->mm);
151	if (!dumpable && !capable(CAP_SYS_PTRACE))	154	if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE))
152	return -EPERM;	155	return -EPERM;
153		156
154	return security_ptrace_access_check(task, mode);	157	return security_ptrace_access_check(task, mode);
@@ -198,7 +201,7 @@ static int ptrace_attach(struct task_struct *task)
198	goto unlock_tasklist;	201	goto unlock_tasklist;
199		202
200	task->ptrace = PT_PTRACED;	203	task->ptrace = PT_PTRACED;
201	if (capable(CAP_SYS_PTRACE))	204	if (task_ns_capable(task, CAP_SYS_PTRACE))
202	task->ptrace \|= PT_PTRACE_CAP;	205	task->ptrace \|= PT_PTRACE_CAP;
203		206
204	__ptrace_link(task, current);	207	__ptrace_link(task, current);