xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

apparmor: move ptrace checks to using labels

Browse Source 
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
2017-06-09 14:22:14 -07:00
parent ca916e8e2d
commit b2d09ae449
5 changed files with 58 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
security/apparmor/domain.c
View File

@@ -51,14 +51,16 @@ void aa_free_domain_entries(struct aa_domain *domain)
/**
* may_change_ptraced_domain - check if can change profile on ptraced task
* @to_profile: profile to change to (NOT NULL)
* @to_label: profile to change to (NOT NULL)
* @info: message if there is an error
*
* Check if current is ptraced and if so if the tracing task is allowed
* to trace the new domain
*
* Returns: %0 or error if change not allowed
*/
static int may_change_ptraced_domain(struct aa_profile *to_profile)
static int may_change_ptraced_domain(struct aa_label *to_label,
const char **info)
{
struct task_struct *tracer;
struct aa_label *tracerl = NULL;
@@ -74,13 +76,14 @@ static int may_change_ptraced_domain(struct aa_profile *to_profile)
if (!tracer || unconfined(tracerl))
goto out;
error = aa_may_ptrace(labels_profile(tracerl), to_profile,
PTRACE_MODE_ATTACH);
error = aa_may_ptrace(tracerl, to_label, PTRACE_MODE_ATTACH);
out:
rcu_read_unlock();
aa_put_label(tracerl);
if (error)
*info = "ptrace prevents transition";
return error;
}
@@ -477,7 +480,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
}
if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
error = may_change_ptraced_domain(new_profile);
error = may_change_ptraced_domain(&new_profile->label, &info);
if (error)
goto audit;
}
@@ -661,7 +664,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
}
}
error = may_change_ptraced_domain(hat);
error = may_change_ptraced_domain(&hat->label, &info);
if (error) {
info = "ptraced";
error = -EPERM;
@@ -782,7 +785,7 @@ int aa_change_profile(const char *fqname, int flags)
}
/* check if tracing task is allowed to trace target domain */
error = may_change_ptraced_domain(target);
error = may_change_ptraced_domain(&target->label, &info);
if (error) {
info = "ptrace prevents transition";
goto audit;