Gitiles
Code Review Sign In
LeafOS / LeafOS-Devices / android_kernel_samsung_exynos9820 / 233363fd02c5fffdfd0be305b70adbbe661d22cf
commit233363fd02c5fffdfd0be305b70adbbe661d22cf[log] [tgz]
authorJohn Johansen <john.johansen@canonical.com>Fri Dec 08 17:43:18 2017 -0800
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Wed Jan 17 09:45:27 2018 +0100
treebecac4111f5e08ae6b1c766361bd096b1c6d7ad6
parenta4ae05b7bfcdd72f135099b848e1777e486efb19 [diff]
apparmor: fix ptrace label match when matching stacked labels

commit 0dda0b3fb255048a221f736c8a2a24c674da8bf3 upstream.

Given a label with a profile stack of
  A//&B or A//&C ...

A ptrace rule should be able to specify a generic trace pattern with
a rule like

  ptrace trace A//&**,

however this is failing because while the correct label match routine
is called, it is being done post label decomposition so it is always
being done against a profile instead of the stacked label.

To fix this refactor the cross check to pass the full peer label in to
the label_match.

Fixes: 290f458a4f16 ("apparmor: allow ptrace checks to be finer grained than just capability")
Reported-by: Matthew Garrett <mjg59@google.com>
Tested-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2 files changed
tree: becac4111f5e08ae6b1c766361bd096b1c6d7ad6
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README