apparmor: fix ptrace read check

The ptrace read check is incorrect resulting in policy that is
broader than it needs to be. Fix the check so that read access
permission can be properly detected when other ptrace flags are
set.

Fixes: b2d09ae449ce ("apparmor: move ptrace checks to using labels")
Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index e35d12883990fe3cabac161f1672fe2b2f234427..74f17376202bd1cf36cafcf849abd06fe36ec35a 100644 (file)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -117,7 +117,8 @@ static int apparmor_ptrace_access_check(struct task_struct *child,
        tracer = begin_current_label_crit_section();
        tracee = aa_get_task_label(child);
        error = aa_may_ptrace(tracer, tracee,
-                 mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE);
+                       (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
+                                                 : AA_PTRACE_TRACE);
        aa_put_label(tracee);
        end_current_label_crit_section(tracer);