44 lines
1.5 KiB
Diff
44 lines
1.5 KiB
Diff
From: Jann Horn <jannh@google.com>
|
|
Date: Sat, 29 Sep 2018 03:49:26 +0200
|
|
Subject: apparmor: don't try to replace stale label in ptraceme check
|
|
Origin: https://git.kernel.org/linus/ca3fde5214e1d24f78269b337d3f22afd6bf445e
|
|
Bug-Debian: https://bugs.debian.org/963493
|
|
|
|
begin_current_label_crit_section() must run in sleepable context because
|
|
when label_is_stale() is true, aa_replace_current_label() runs, which uses
|
|
prepare_creds(), which can sleep.
|
|
|
|
Until now, the ptraceme access check (which runs with tasklist_lock held)
|
|
violated this rule.
|
|
|
|
Fixes: b2d09ae449ced ("apparmor: move ptrace checks to using labels")
|
|
Reported-by: Cyrill Gorcunov <gorcunov@gmail.com>
|
|
Reported-by: kernel test robot <rong.a.chen@intel.com>
|
|
Signed-off-by: Jann Horn <jannh@google.com>
|
|
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
|
---
|
|
security/apparmor/lsm.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
|
|
index 2c842f24821b..d08aac05c65a 100644
|
|
--- a/security/apparmor/lsm.c
|
|
+++ b/security/apparmor/lsm.c
|
|
@@ -132,11 +132,11 @@ static int apparmor_ptrace_traceme(struct task_struct *parent)
|
|
struct aa_label *tracer, *tracee;
|
|
int error;
|
|
|
|
- tracee = begin_current_label_crit_section();
|
|
+ tracee = __begin_current_label_crit_section();
|
|
tracer = aa_get_task_label(parent);
|
|
error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
|
|
aa_put_label(tracer);
|
|
- end_current_label_crit_section(tracee);
|
|
+ __end_current_label_crit_section(tracee);
|
|
|
|
return error;
|
|
}
|
|
--
|
|
2.27.0
|
|
|