diff mbox series

[SRU,Bionic,1/1] apparmor: fix ptrace read check

Message ID 20210716161438.894779-2-georgia.garcia@canonical.com
State New
Headers show
Series Fix ptrace read check (LP: 1890848) | expand

Commit Message

Georgia Garcia July 16, 2021, 4:14 p.m. UTC 
From: John Johansen <john.johansen@canonical.com>

BugLink: https://bugs.launchpad.net/bugs/1890848

The ptrace read check is incorrect resulting in policy that is
broader than it needs to be. Fix the check so that read access
permission can be properly detected when other ptrace flags are
set.

Fixes: b2d09ae449ce ("apparmor: move ptrace checks to using labels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 338d0be437ef10e247a35aed83dbab182cf406a2)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
---
 security/apparmor/lsm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index ecadaf8d7595..32eb76b39e09 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -90,7 +90,8 @@  static int apparmor_ptrace_access_check(struct task_struct *child,
 	tracer = begin_current_label_crit_section();
 	tracee = aa_get_task_label(child);
 	error = aa_may_ptrace(tracer, tracee,
-		  mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE);
+			(mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
+						  : AA_PTRACE_TRACE);
 	aa_put_label(tracee);
 	end_current_label_crit_section(tracer);