From: John Johansen <john.johansen@canonical.com>
Date: Thu, 7 Jun 2018 07:45:30 +0000 (-0700)
Subject: apparmor: fix ptrace read check
X-Git-Tag: v4.18-rc1~28^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=338d0be437ef10e247a35aed83dbab182cf406a2;p=thirdparty%2Flinux.git

apparmor: fix ptrace read check

The ptrace read check is incorrect resulting in policy that is
broader than it needs to be. Fix the check so that read access
permission can be properly detected when other ptrace flags are
set.

Fixes: b2d09ae449ce ("apparmor: move ptrace checks to using labels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
---

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index e35d12883990f..74f17376202bd 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -117,7 +117,8 @@ static int apparmor_ptrace_access_check(struct task_struct *child,
 	tracer = begin_current_label_crit_section();
 	tracee = aa_get_task_label(child);
 	error = aa_may_ptrace(tracer, tracee,
-		  mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE);
+			(mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
+						  : AA_PTRACE_TRACE);
 	aa_put_label(tracee);
 	end_current_label_crit_section(tracer);