yama: Better permission check for ptraceme

Change the permission check for yama_ptrace_ptracee to the standard
ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
in the tracees user namespace.

Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
This commit is contained in:
Eric W. Biederman 2013-03-21 02:30:41 -07:00
parent 751c644b95
commit eddc0a3abf

View file

@ -347,10 +347,8 @@ int yama_ptrace_traceme(struct task_struct *parent)
/* Only disallow PTRACE_TRACEME on more aggressive settings. */ /* Only disallow PTRACE_TRACEME on more aggressive settings. */
switch (ptrace_scope) { switch (ptrace_scope) {
case YAMA_SCOPE_CAPABILITY: case YAMA_SCOPE_CAPABILITY:
rcu_read_lock(); if (!has_ns_capability(parent, current_user_ns(), CAP_SYS_PTRACE))
if (!ns_capable(__task_cred(parent)->user_ns, CAP_SYS_PTRACE))
rc = -EPERM; rc = -EPERM;
rcu_read_unlock();
break; break;
case YAMA_SCOPE_NO_ATTACH: case YAMA_SCOPE_NO_ATTACH:
rc = -EPERM; rc = -EPERM;