Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit eddc0a3a authored by Eric W. Biederman's avatar Eric W. Biederman
Browse files

yama: Better permission check for ptraceme 



Change the permission check for yama_ptrace_ptracee to the standard
ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
in the tracees user namespace.

Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
parent 751c644b

security/yama/yama_lsm.c

+1 −3
Original line number Diff line number Diff line
@@ -347,10 +347,8 @@ int yama_ptrace_traceme(struct task_struct *parent) 
	/* Only disallow PTRACE_TRACEME on more aggressive settings. */

	switch (ptrace_scope) {

	case YAMA_SCOPE_CAPABILITY:

		rcu_read_lock();

		if (!ns_capable(__task_cred(parent)->user_ns, CAP_SYS_PTRACE))

		if (!has_ns_capability(parent, current_user_ns(), CAP_SYS_PTRACE))

			rc = -EPERM;

		rcu_read_unlock();

		break;

	case YAMA_SCOPE_NO_ATTACH:

		rc = -EPERM;