mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-07 01:41:00 +01:00
113 lines
3.3 KiB
Diff
113 lines
3.3 KiB
Diff
From: Jeff Mahoney <jeffm@suse.com>
|
|
Subject: apparmor: use new ptrace security_operations
|
|
|
|
This patch implements the new ptrace security_operations members.
|
|
|
|
->ptrace was changed to ->ptrace_may_access and ->ptrace_traceme.
|
|
|
|
The apparmor versions are really just wrappers for the old function.
|
|
|
|
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
Signed-off-by: John Johansen <jjohansen@suse.de>
|
|
|
|
---
|
|
security/apparmor/lsm.c | 51 ++++++++++++++++++++++++++++++------------------
|
|
1 file changed, 32 insertions(+), 19 deletions(-)
|
|
|
|
--- a/security/apparmor/lsm.c
|
|
+++ b/security/apparmor/lsm.c
|
|
@@ -157,47 +157,47 @@ static int aa_reject_syscall(struct task
|
|
return error;
|
|
}
|
|
|
|
-static int apparmor_ptrace(struct task_struct *parent,
|
|
- struct task_struct *child, unsigned int mode)
|
|
+static int apparmor_ptrace(struct task_struct *tracer,
|
|
+ struct task_struct *tracee)
|
|
{
|
|
struct aa_task_context *cxt;
|
|
int error = 0;
|
|
|
|
/*
|
|
- * parent can ptrace child when
|
|
- * - parent is unconfined
|
|
- * - parent & child are in the same namespace &&
|
|
- * - parent is in complain mode
|
|
- * - parent and child are confined by the same profile
|
|
- * - parent profile has CAP_SYS_PTRACE
|
|
+ * tracer can ptrace tracee when
|
|
+ * - tracer is unconfined
|
|
+ * - tracer & tracee are in the same namespace &&
|
|
+ * - tracer is in complain mode
|
|
+ * - tracer and tracee are confined by the same profile
|
|
+ * - tracer profile has CAP_SYS_PTRACE
|
|
*/
|
|
|
|
rcu_read_lock();
|
|
- cxt = aa_task_context(parent);
|
|
+ cxt = aa_task_context(tracer);
|
|
if (cxt) {
|
|
- if (parent->nsproxy != child->nsproxy) {
|
|
+ if (tracer->nsproxy != tracee->nsproxy) {
|
|
struct aa_audit sa;
|
|
memset(&sa, 0, sizeof(sa));
|
|
sa.operation = "ptrace";
|
|
sa.gfp_mask = GFP_ATOMIC;
|
|
- sa.parent = parent->pid;
|
|
- sa.task = child->pid;
|
|
+ sa.parent = tracer->pid;
|
|
+ sa.task = tracee->pid;
|
|
sa.info = "different namespaces";
|
|
aa_audit_reject(cxt->profile, &sa);
|
|
error = -EPERM;
|
|
} else {
|
|
- struct aa_task_context *child_cxt =
|
|
- aa_task_context(child);
|
|
+ struct aa_task_context *tracee_cxt =
|
|
+ aa_task_context(tracee);
|
|
|
|
- error = aa_may_ptrace(cxt, child_cxt ?
|
|
- child_cxt->profile : NULL);
|
|
+ error = aa_may_ptrace(cxt, tracee_cxt ?
|
|
+ tracee_cxt->profile : NULL);
|
|
if (error && PROFILE_COMPLAIN(cxt->profile)) {
|
|
struct aa_audit sa;
|
|
memset(&sa, 0, sizeof(sa));
|
|
sa.operation = "ptrace";
|
|
sa.gfp_mask = GFP_ATOMIC;
|
|
- sa.parent = parent->pid;
|
|
- sa.task = child->pid;
|
|
+ sa.parent = tracer->pid;
|
|
+ sa.task = tracee->pid;
|
|
aa_audit_hint(cxt->profile, &sa);
|
|
}
|
|
}
|
|
@@ -207,6 +207,18 @@ static int apparmor_ptrace(struct task_s
|
|
return error;
|
|
}
|
|
|
|
+static int apparmor_ptrace_may_access(struct task_struct *child,
|
|
+ unsigned int mode)
|
|
+{
|
|
+ return apparmor_ptrace(current, child);
|
|
+}
|
|
+
|
|
+
|
|
+static int apparmor_ptrace_traceme(struct task_struct *parent)
|
|
+{
|
|
+ return apparmor_ptrace(parent, current);
|
|
+}
|
|
+
|
|
static int apparmor_capable(struct task_struct *task, int cap)
|
|
{
|
|
int error;
|
|
@@ -899,7 +911,8 @@ static int apparmor_task_setrlimit(unsig
|
|
}
|
|
|
|
struct security_operations apparmor_ops = {
|
|
- .ptrace = apparmor_ptrace,
|
|
+ .ptrace_may_access = apparmor_ptrace_may_access,
|
|
+ .ptrace_traceme = apparmor_ptrace_traceme,
|
|
.capget = cap_capget,
|
|
.capset_check = cap_capset_check,
|
|
.capset_set = cap_capset_set,
|