yama: Better permission check for ptraceme

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Change the permission check for yama_ptrace_ptracee to the standard
ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
in the tracees user namespace.

Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

Eric W. Biederman 13 years ago eddc0a3a 751c644b

+1 -3

1 changed file

expand all

security

yama

yama_lsm.c

+1 -3

security/yama/yama_lsm.c

··· 347 347 /* Only disallow PTRACE_TRACEME on more aggressive settings. */ 348 348 switch (ptrace_scope) { 349 349 case YAMA_SCOPE_CAPABILITY: 350 - rcu_read_lock(); 351 - if (!ns_capable(__task_cred(parent)->user_ns, CAP_SYS_PTRACE)) 350 + if (!has_ns_capability(parent, current_user_ns(), CAP_SYS_PTRACE)) 352 351 rc = -EPERM; 353 - rcu_read_unlock(); 354 352 break; 355 353 case YAMA_SCOPE_NO_ATTACH: 356 354 rc = -EPERM;