summaryrefslogtreecommitdiffstats
path: root/security/apparmor/include/perms.h
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-12-09 02:43:18 +0100
committerJohn Johansen <john.johansen@canonical.com>2018-01-13 00:49:59 +0100
commit0dda0b3fb255048a221f736c8a2a24c674da8bf3 (patch)
tree2e608fa9c885466ab5d833bcbaff76620ada5db9 /security/apparmor/include/perms.h
parentMerge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/ker... (diff)
downloadlinux-0dda0b3fb255048a221f736c8a2a24c674da8bf3.tar.xz
linux-0dda0b3fb255048a221f736c8a2a24c674da8bf3.zip
apparmor: fix ptrace label match when matching stacked labels
Given a label with a profile stack of A//&B or A//&C ... A ptrace rule should be able to specify a generic trace pattern with a rule like ptrace trace A//&**, however this is failing because while the correct label match routine is called, it is being done post label decomposition so it is always being done against a profile instead of the stacked label. To fix this refactor the cross check to pass the full peer label in to the label_match. Fixes: 290f458a4f16 ("apparmor: allow ptrace checks to be finer grained than just capability") Cc: Stable <stable@vger.kernel.org> Reported-by: Matthew Garrett <mjg59@google.com> Tested-by: Matthew Garrett <mjg59@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/include/perms.h')
-rw-r--r--security/apparmor/include/perms.h3
1 files changed, 3 insertions, 0 deletions
diff --git a/security/apparmor/include/perms.h b/security/apparmor/include/perms.h
index 2b27bb79aec4..d7b7e7115160 100644
--- a/security/apparmor/include/perms.h
+++ b/security/apparmor/include/perms.h
@@ -133,6 +133,9 @@ extern struct aa_perms allperms;
#define xcheck_labels_profiles(L1, L2, FN, args...) \
xcheck_ns_labels((L1), (L2), xcheck_ns_profile_label, (FN), args)
+#define xcheck_labels(L1, L2, P, FN1, FN2) \
+ xcheck(fn_for_each((L1), (P), (FN1)), fn_for_each((L2), (P), (FN2)))
+
void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask);
void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask);