Commit 338d0be4 authored by John Johansen's avatar John Johansen

apparmor: fix ptrace read check

The ptrace read check is incorrect resulting in policy that is
broader than it needs to be. Fix the check so that read access
permission can be properly detected when other ptrace flags are
set.

Fixes: b2d09ae4 ("apparmor: move ptrace checks to using labels")
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 3ddae987
...@@ -117,7 +117,8 @@ static int apparmor_ptrace_access_check(struct task_struct *child, ...@@ -117,7 +117,8 @@ static int apparmor_ptrace_access_check(struct task_struct *child,
tracer = begin_current_label_crit_section(); tracer = begin_current_label_crit_section();
tracee = aa_get_task_label(child); tracee = aa_get_task_label(child);
error = aa_may_ptrace(tracer, tracee, error = aa_may_ptrace(tracer, tracee,
mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE); (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
: AA_PTRACE_TRACE);
aa_put_label(tracee); aa_put_label(tracee);
end_current_label_crit_section(tracer); end_current_label_crit_section(tracer);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment