summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2018-06-07 00:45:30 -0700
committerJohn Johansen <john.johansen@canonical.com>2018-06-07 01:51:02 -0700
commit338d0be437ef10e247a35aed83dbab182cf406a2 (patch)
treea35737ad4aff38dbb6f9b228ee1999fb8b51b894
parent3ddae9876a7045a8d08ab372eff232a5da5199b8 (diff)
downloadop-kernel-dev-338d0be437ef10e247a35aed83dbab182cf406a2.zip
op-kernel-dev-338d0be437ef10e247a35aed83dbab182cf406a2.tar.gz
apparmor: fix ptrace read check
The ptrace read check is incorrect resulting in policy that is broader than it needs to be. Fix the check so that read access permission can be properly detected when other ptrace flags are set. Fixes: b2d09ae449ce ("apparmor: move ptrace checks to using labels") Signed-off-by: John Johansen <john.johansen@canonical.com>
-rw-r--r--security/apparmor/lsm.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index e35d128..74f1737 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -117,7 +117,8 @@ static int apparmor_ptrace_access_check(struct task_struct *child,
tracer = begin_current_label_crit_section();
tracee = aa_get_task_label(child);
error = aa_may_ptrace(tracer, tracee,
- mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE);
+ (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
+ : AA_PTRACE_TRACE);
aa_put_label(tracee);
end_current_label_crit_section(tracer);
OpenPOWER on IntegriCloud