From 338d0be437ef10e247a35aed83dbab182cf406a2 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Thu, 7 Jun 2018 00:45:30 -0700
Subject: [PATCH] apparmor: fix ptrace read check
Git-commit: 338d0be437ef10e247a35aed83dbab182cf406a2
Patch-mainline: v4.18-rc1
References: bsc#1051510
The ptrace read check is incorrect resulting in policy that is
broader than it needs to be. Fix the check so that read access
permission can be properly detected when other ptrace flags are
set.
Fixes: b2d09ae449ce ("apparmor: move ptrace checks to using labels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Takashi Iwai <tiwai@suse.de>
---
security/apparmor/lsm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index e35d12883990..74f17376202b 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -117,7 +117,8 @@ static int apparmor_ptrace_access_check(struct task_struct *child,
tracer = begin_current_label_crit_section();
tracee = aa_get_task_label(child);
error = aa_may_ptrace(tracer, tracee,
- mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE);
+ (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
+ : AA_PTRACE_TRACE);
aa_put_label(tracee);
end_current_label_crit_section(tracer);
--
2.18.0