yama: Better permission check for ptraceme
Change the permission check for yama_ptrace_ptracee to the standard ptrace permission check, testing if the traceer has CAP_SYS_PTRACE in the tracees user namespace. Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
This commit is contained in:
parent
751c644b95
commit
eddc0a3abf
|
@ -347,10 +347,8 @@ int yama_ptrace_traceme(struct task_struct *parent)
|
|||
/* Only disallow PTRACE_TRACEME on more aggressive settings. */
|
||||
switch (ptrace_scope) {
|
||||
case YAMA_SCOPE_CAPABILITY:
|
||||
rcu_read_lock();
|
||||
if (!ns_capable(__task_cred(parent)->user_ns, CAP_SYS_PTRACE))
|
||||
if (!has_ns_capability(parent, current_user_ns(), CAP_SYS_PTRACE))
|
||||
rc = -EPERM;
|
||||
rcu_read_unlock();
|
||||
break;
|
||||
case YAMA_SCOPE_NO_ATTACH:
|
||||
rc = -EPERM;
|
||||
|
|
Loading…
Reference in New Issue