apparmor: move ptrace checks to using labels

Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2017-06-09 14:22:14 -0700
committer: John Johansen <john.johansen@canonical.com> 2017-06-10 17:11:41 -0700
commit: b2d09ae449cedc6f276ac485c013d22a97d36992 (patch)
tree: 3984bf515f092325a3baad20d50a3814daff9f5a /security/apparmor/lsm.c
parent: ca916e8e2d88e97134a313eb3100ce9c3d8fd3f2 (diff)
1 files changed, 21 insertions, 2 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index c3e98f74268f..bf28b48bf6dd 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -104,12 +104,31 @@ static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
 static int apparmor_ptrace_access_check(struct task_struct *child,
 					unsigned int mode)
 {
-	return aa_ptrace(current, child, mode);
+	struct aa_label *tracer, *tracee;
+	int error;
+
+	tracer = begin_current_label_crit_section();
+	tracee = aa_get_task_label(child);
+	error = aa_may_ptrace(tracer, tracee,
+		  mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE);
+	aa_put_label(tracee);
+	end_current_label_crit_section(tracer);
+
+	return error;
 }
 
 static int apparmor_ptrace_traceme(struct task_struct *parent)
 {
-	return aa_ptrace(parent, current, PTRACE_MODE_ATTACH);
+	struct aa_label *tracer, *tracee;
+	int error;
+
+	tracee = begin_current_label_crit_section();
+	tracer = aa_get_task_label(parent);
+	error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
+	aa_put_label(tracer);
+	end_current_label_crit_section(tracee);
+
+	return error;
 }
 
 /* Derived from security/commoncap.c:cap_capget */
author	John Johansen <john.johansen@canonical.com>	2017-06-09 14:22:14 -0700
committer	John Johansen <john.johansen@canonical.com>	2017-06-10 17:11:41 -0700
commit	b2d09ae449cedc6f276ac485c013d22a97d36992 (patch)
tree	3984bf515f092325a3baad20d50a3814daff9f5a /security/apparmor/lsm.c
parent	ca916e8e2d88e97134a313eb3100ce9c3d8fd3f2 (diff)