diff options
author | John Johansen <john.johansen@canonical.com> | 2017-12-09 02:43:18 +0100 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2018-01-13 00:49:59 +0100 |
commit | 0dda0b3fb255048a221f736c8a2a24c674da8bf3 (patch) | |
tree | 2e608fa9c885466ab5d833bcbaff76620ada5db9 /security/apparmor/include/perms.h | |
parent | Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/ker... (diff) | |
download | linux-0dda0b3fb255048a221f736c8a2a24c674da8bf3.tar.xz linux-0dda0b3fb255048a221f736c8a2a24c674da8bf3.zip |
apparmor: fix ptrace label match when matching stacked labels
Given a label with a profile stack of
A//&B or A//&C ...
A ptrace rule should be able to specify a generic trace pattern with
a rule like
ptrace trace A//&**,
however this is failing because while the correct label match routine
is called, it is being done post label decomposition so it is always
being done against a profile instead of the stacked label.
To fix this refactor the cross check to pass the full peer label in to
the label_match.
Fixes: 290f458a4f16 ("apparmor: allow ptrace checks to be finer grained than just capability")
Cc: Stable <stable@vger.kernel.org>
Reported-by: Matthew Garrett <mjg59@google.com>
Tested-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/include/perms.h')
-rw-r--r-- | security/apparmor/include/perms.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/security/apparmor/include/perms.h b/security/apparmor/include/perms.h index 2b27bb79aec4..d7b7e7115160 100644 --- a/security/apparmor/include/perms.h +++ b/security/apparmor/include/perms.h @@ -133,6 +133,9 @@ extern struct aa_perms allperms; #define xcheck_labels_profiles(L1, L2, FN, args...) \ xcheck_ns_labels((L1), (L2), xcheck_ns_profile_label, (FN), args) +#define xcheck_labels(L1, L2, P, FN1, FN2) \ + xcheck(fn_for_each((L1), (P), (FN1)), fn_for_each((L2), (P), (FN2))) + void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask); void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask); |