summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2018-06-07 09:45:30 +0200
committerJohn Johansen <john.johansen@canonical.com>2018-06-07 10:51:02 +0200
commit338d0be437ef10e247a35aed83dbab182cf406a2 (patch)
treea35737ad4aff38dbb6f9b228ee1999fb8b51b894 /security
parentapparmor: fix memory leak when deduping profile load (diff)
downloadlinux-338d0be437ef10e247a35aed83dbab182cf406a2.tar.xz
linux-338d0be437ef10e247a35aed83dbab182cf406a2.zip
apparmor: fix ptrace read check
The ptrace read check is incorrect resulting in policy that is broader than it needs to be. Fix the check so that read access permission can be properly detected when other ptrace flags are set. Fixes: b2d09ae449ce ("apparmor: move ptrace checks to using labels") Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/lsm.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index e35d12883990..74f17376202b 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -117,7 +117,8 @@ static int apparmor_ptrace_access_check(struct task_struct *child,
tracer = begin_current_label_crit_section();
tracee = aa_get_task_label(child);
error = aa_may_ptrace(tracer, tracee,
- mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE);
+ (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
+ : AA_PTRACE_TRACE);
aa_put_label(tracee);
end_current_label_crit_section(tracer);