apparmor/kernel-patches/for-mainline/apparmor_ptrace-cleanup.diff

---
 security/apparmor/lsm.c |   37 ++++++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 17 deletions(-)

--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -108,8 +108,6 @@ static int apparmor_ptrace(struct task_s
 			   struct task_struct *child)
 {
 	struct aa_task_context *cxt;
-	struct aa_task_context *child_cxt;
-	struct aa_profile *child_profile;
 	int error = 0;
 
 	/*
@@ -123,22 +121,27 @@ static int apparmor_ptrace(struct task_s
 
 	rcu_read_lock();
 	cxt = aa_task_context(parent);
-	child_cxt = aa_task_context(child);
-	child_profile = child_cxt ? child_cxt->profile : NULL;
-	if (cxt && (parent->nsproxy != child->nsproxy)) {
-		aa_audit_message(NULL, GFP_ATOMIC, "REJECTING ptrace across "
-				 "namespace of %d by %d",
-				 parent->pid, child->pid);
-		error = -EPERM;
-	} else {
-		error = aa_may_ptrace(cxt, child_profile);
-		if (cxt && PROFILE_COMPLAIN(cxt->profile)) {
+	if (cxt) {
+		if (parent->nsproxy != child->nsproxy) {
 			aa_audit_message(cxt->profile, GFP_ATOMIC,
-					 "LOGPROF-HINT ptrace pid=%d child=%d "
-					 "(%d profile %s active %s)",
-					 current->pid, child->pid, current->pid,
-					 cxt->profile->parent->name,
-					 cxt->profile->name);
+					 "REJECTING ptrace across "
+					 "namespace of %d by %d",
+					 parent->pid, child->pid);
+			error = -EPERM;
+		} else {
+			struct aa_task_context *child_cxt =
+				aa_task_context(child);
+
+			error = aa_may_ptrace(cxt, child_cxt ?
+						   child_cxt->profile : NULL);
+			if (PROFILE_COMPLAIN(cxt->profile)) {
+				aa_audit_message(cxt->profile, GFP_ATOMIC,
+					"LOGPROF-HINT ptrace pid=%d child=%d "
+					"(%d profile %s active %s)",
+					current->pid, child->pid, current->pid,
+					cxt->profile->parent->name,
+					cxt->profile->name);
+			}
 		}
 	}
 	rcu_read_unlock();