git.baikalelectronics.ru Git - kernel.git/commit

author	John Johansen <john.johansen@canonical.com>
	Sat, 9 Dec 2017 01:43:18 +0000 (17:43 -0800)
committer	John Johansen <john.johansen@canonical.com>
	Fri, 12 Jan 2018 23:49:59 +0000 (15:49 -0800)
commit	4c84547c1b430529de74de3c6f0c48c4ff474022
tree	2e608fa9c885466ab5d833bcbaff76620ada5db9	tree \| snapshot
parent	b5b32b69c3f57444a740cde39f48d491f487fdc2	commit \| diff

apparmor: fix ptrace label match when matching stacked labels

Given a label with a profile stack of
A//&B or A//&C ...

A ptrace rule should be able to specify a generic trace pattern with
a rule like

ptrace trace A//&**,

however this is failing because while the correct label match routine
is called, it is being done post label decomposition so it is always
being done against a profile instead of the stacked label.

To fix this refactor the cross check to pass the full peer label in to
the label_match.

Fixes: 9e5fd93019ba ("apparmor: allow ptrace checks to be finer grained than just capability")
Cc: Stable <stable@vger.kernel.org>
Reported-by: Matthew Garrett <mjg59@google.com>
Tested-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

security/apparmor/include/perms.h		diff \| blob \| history
security/apparmor/ipc.c		diff \| blob \| history