5 files changed, 21 insertions, 8 deletions

diff --git a/security/commoncap.c b/security/commoncap.c
index 33d343308413..0b6537a3672d 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -63,7 +63,8 @@ int cap_settime(struct timespec *ts, struct timezone *tz)
         return 0;
 }
 
-int cap_ptrace (struct task_struct *parent, struct task_struct *child)
+int cap_ptrace (struct task_struct *parent, struct task_struct *child,
+                unsigned int mode)
 {
         /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
         if (!cap_issubset(child->cap_permitted, parent->cap_permitted) &&
diff --git a/security/dummy.c b/security/dummy.c
index b8916883b77f..1db712d99dc7 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -30,7 +30,8 @@
 #include <linux/prctl.h>
 #include <linux/securebits.h>
 
-static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
+static int dummy_ptrace (struct task_struct *parent, struct task_struct *child,
+                         unsigned int mode)
 {
         return 0;
 }
diff --git a/security/security.c b/security/security.c
index 59838a99b80e..c4507ce2a5a0 100644
--- a/security/security.c
+++ b/security/security.c
@@ -161,9 +161,10 @@ int mod_reg_security(const char *name, struct security_operations *ops)
 
 /* Security operations */
 
-int security_ptrace(struct task_struct *parent, struct task_struct *child)
+int security_ptrace(struct task_struct *parent, struct task_struct *child,
+                    unsigned int mode)
 {
-        return security_ops->ptrace(parent, child);
+        return security_ops->ptrace(parent, child, mode);
 }
 
 int security_capget(struct task_struct *target,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index eca70f42e678..4be156334b22 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1686,14 +1686,23 @@ static inline u32 file_to_av(struct file *file)
 
 /* Hook functions begin here. */
 
-static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
+static int selinux_ptrace(struct task_struct *parent,
+                          struct task_struct *child,
+                          unsigned int mode)
 {
         int rc;
 
-        rc = secondary_ops->ptrace(parent, child);
+        rc = secondary_ops->ptrace(parent, child, mode);
         if (rc)
                 return rc;
 
+        if (mode == PTRACE_MODE_READ) {
+                struct task_security_struct *tsec = parent->security;
+                struct task_security_struct *csec = child->security;
+                return avc_has_perm(tsec->sid, csec->sid,
+                                    SECCLASS_FILE, FILE__READ, NULL);
+        }
+
         return task_has_perm(parent, child, PROCESS__PTRACE);
 }
 
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 4a09293efa00..3c7150b3493d 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -95,11 +95,12 @@ struct inode_smack *new_inode_smack(char *smack)
  *
  * Do the capability checks, and require read and write.
  */
-static int smack_ptrace(struct task_struct *ptp, struct task_struct *ctp)
+static int smack_ptrace(struct task_struct *ptp, struct task_struct *ctp,
+                        unsigned int mode)
 {
         int rc;
 
-        rc = cap_ptrace(ptp, ctp);
+        rc = cap_ptrace(ptp, ctp, mode);
         if (rc != 0)
                 return rc;