ptrace: use fsuid, fsgid, effective creds for fs access checks

	state = *get_task_state(task);

	vsize = eip = esp = 0;

	permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);

	permitted = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS | PTRACE_MODE_NOAUDIT);

	mm = get_task_mm(task);

	if (mm) {

		vsize = task_vsize(mm);

static int proc_pid_auxv(struct seq_file *m, struct pid_namespace *ns,

			 struct pid *pid, struct task_struct *task)

{

	struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ);

	struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);

	if (mm && !IS_ERR(mm)) {

		unsigned int nwords = 0;

		do {

	wchan = get_wchan(task);

	if (wchan && ptrace_may_access(task, PTRACE_MODE_READ) && !lookup_symbol_name(wchan, symname))

	if (wchan && ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)

			&& !lookup_symbol_name(wchan, symname))

		seq_printf(m, "%s", symname);

	else

		seq_putc(m, '0');

	int err = mutex_lock_killable(&task->signal->cred_guard_mutex);

	if (err)

		return err;

	if (!ptrace_may_access(task, PTRACE_MODE_ATTACH)) {

	if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_FSCREDS)) {

		mutex_unlock(&task->signal->cred_guard_mutex);

		return -EPERM;

	}

	 */

	task = get_proc_task(inode);

	if (task) {

		allowed = ptrace_may_access(task, PTRACE_MODE_READ);

		allowed = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);

		put_task_struct(task);

	}

	return allowed;

		return true;

	if (in_group_p(pid->pid_gid))

		return true;

	return ptrace_may_access(task, PTRACE_MODE_READ);

	return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);

}

	struct mm_struct *mm = ERR_PTR(-ESRCH);

	if (task) {

		mm = mm_access(task, mode);

		mm = mm_access(task, mode | PTRACE_MODE_FSCREDS);

		put_task_struct(task);

		if (!IS_ERR_OR_NULL(mm)) {

	if (!task)

		goto out_notask;

	mm = mm_access(task, PTRACE_MODE_READ);

	mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);

	if (IS_ERR_OR_NULL(mm))

		goto out;

		goto out;

	result = -EACCES;

	if (!ptrace_may_access(task, PTRACE_MODE_READ))

	if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))

		goto out_put_task;

	result = -ENOENT;

		goto out;

	ret = -EACCES;

	if (!ptrace_may_access(task, PTRACE_MODE_READ))

	if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))

		goto out_put_task;

	ret = 0;

	if (result)

		return result;

	if (!ptrace_may_access(task, PTRACE_MODE_READ)) {

	if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) {

		result = -EACCES;

		goto out_unlock;

	}

	if (!task)

		return error;

	if (ptrace_may_access(task, PTRACE_MODE_READ)) {

	if (ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) {

		error = ns_get_path(&ns_path, task, ns_ops);

		if (!error)

			nd_jump_link(&ns_path);

	if (!task)

		return res;

	if (ptrace_may_access(task, PTRACE_MODE_READ)) {

	if (ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) {

		res = ns_get_name(name, sizeof(name), task, ns_ops);

		if (res >= 0)

			res = readlink_copy(buffer, buflen, name);

#define PTRACE_MODE_READ	0x01

#define PTRACE_MODE_ATTACH	0x02

#define PTRACE_MODE_NOAUDIT	0x04

/* Returns true on success, false on denial. */

#define PTRACE_MODE_FSCREDS 0x08

#define PTRACE_MODE_REALCREDS 0x10

/* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */

#define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS)

#define PTRACE_MODE_READ_REALCREDS (PTRACE_MODE_READ | PTRACE_MODE_REALCREDS)

#define PTRACE_MODE_ATTACH_FSCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS)

#define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS)

/**

 * ptrace_may_access - check whether the caller is permitted to access

 * a target task.

 * @task: target task

 * @mode: selects type of access and caller credentials

 *

 * Returns true on success, false on denial.

 *

 * One of the flags PTRACE_MODE_FSCREDS and PTRACE_MODE_REALCREDS must

 * be set in @mode to specify whether the access was requested through

 * a filesystem syscall (should use effective capabilities and fsuid

 * of the caller) or through an explicit syscall such as

 * process_vm_writev or ptrace (and should use the real credentials).

 */

extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);

static inline int ptrace_reparented(struct task_struct *child)

	/* Reuse ptrace permission checks for now. */

	err = -EACCES;

	if (!ptrace_may_access(task, PTRACE_MODE_READ))

	if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS))

		goto errout;

	return task;