diff options
author | John Johansen <john.johansen@canonical.com> | 2018-06-07 00:45:30 -0700 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2018-06-07 01:51:02 -0700 |
commit | 338d0be437ef10e247a35aed83dbab182cf406a2 (patch) | |
tree | a35737ad4aff38dbb6f9b228ee1999fb8b51b894 | |
parent | 3ddae9876a7045a8d08ab372eff232a5da5199b8 (diff) | |
download | op-kernel-dev-338d0be437ef10e247a35aed83dbab182cf406a2.zip op-kernel-dev-338d0be437ef10e247a35aed83dbab182cf406a2.tar.gz |
apparmor: fix ptrace read check
The ptrace read check is incorrect resulting in policy that is
broader than it needs to be. Fix the check so that read access
permission can be properly detected when other ptrace flags are
set.
Fixes: b2d09ae449ce ("apparmor: move ptrace checks to using labels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
-rw-r--r-- | security/apparmor/lsm.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index e35d128..74f1737 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -117,7 +117,8 @@ static int apparmor_ptrace_access_check(struct task_struct *child, tracer = begin_current_label_crit_section(); tracee = aa_get_task_label(child); error = aa_may_ptrace(tracer, tracee, - mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE); + (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ + : AA_PTRACE_TRACE); aa_put_label(tracee); end_current_label_crit_section(tracer); |