apparmor: don't try to replace stale label in ptraceme check

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

begin_current_label_crit_section() must run in sleepable context because
when label_is_stale() is true, aa_replace_current_label() runs, which uses
prepare_creds(), which can sleep.

Until now, the ptraceme access check (which runs with tasklist_lock held)
violated this rule.

Fixes: b2d09ae449ced ("apparmor: move ptrace checks to using labels")
Reported-by: Cyrill Gorcunov <gorcunov@gmail.com>
Reported-by: kernel test robot <rong.a.chen@intel.com>
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

authored by

Jann Horn and committed by

John Johansen 7 years ago ca3fde52 0fb871cc

+2 -2

1 changed file

expand all

security

apparmor

lsm.c

+2 -2

security/apparmor/lsm.c

··· 132 132 struct aa_label *tracer, *tracee; 133 133 int error; 134 134 135 - tracee = begin_current_label_crit_section(); 135 + tracee = __begin_current_label_crit_section(); 136 136 tracer = aa_get_task_label(parent); 137 137 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); 138 138 aa_put_label(tracer); 139 - end_current_label_crit_section(tracee); 139 + __end_current_label_crit_section(tracee); 140 140 141 141 return error; 142 142 }