mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-07 11:28:32 +00:00
Code Issues Releases Wiki Activity
linux-stable/security/apparmor
History
John Johansen 233363fd02 apparmor: fix ptrace label match when matching stacked labels 
commit 0dda0b3fb2 upstream.

Given a label with a profile stack of
  A//&B or A//&C ...

A ptrace rule should be able to specify a generic trace pattern with
a rule like

  ptrace trace A//&**,

however this is failing because while the correct label match routine
is called, it is being done post label decomposition so it is always
being done against a profile instead of the stacked label.

To fix this refactor the cross check to pass the full peer label in to
the label_match.

Fixes: 290f458a4f ("apparmor: allow ptrace checks to be finer grained than just capability")
Reported-by: Matthew Garrett <mjg59@google.com>
Tested-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-01-17 09:45:27 +01:00
..
include apparmor: fix ptrace label match when matching stacked labels 2018-01-17 09:45:27 +01:00
.gitignore Revert "apparmor: add base infastructure for socket mediation" 2017-10-26 19:35:35 +02:00
apparmorfs.c Revert "apparmor: add base infastructure for socket mediation" 2017-10-26 19:35:35 +02:00
audit.c apparmor: switch from profiles to using labels on contexts 2017-06-10 17:11:38 -07:00
capability.c apparmor: move capability checks to using labels 2017-06-10 17:11:40 -07:00
context.c apparmor: switch from profiles to using labels on contexts 2017-06-10 17:11:38 -07:00
crypto.c apparmor: use SHASH_DESC_ON_STACK 2017-04-07 08:58:35 +10:00
domain.c + Features 2017-09-23 05:33:29 -10:00
file.c Revert "apparmor: add base infastructure for socket mediation" 2017-10-26 19:35:35 +02:00
ipc.c apparmor: fix ptrace label match when matching stacked labels 2018-01-17 09:45:27 +01:00
Kconfig apparmor: add debug assert AA_BUG and Kconfig to control debug info 2017-01-16 01:18:24 -08:00
label.c apparmor: fix incorrect type assignment when freeing proxies 2017-09-22 13:00:58 -07:00
lib.c Revert "apparmor: add base infastructure for socket mediation" 2017-10-26 19:35:35 +02:00
lsm.c Revert "apparmor: add base infastructure for socket mediation" 2017-10-26 19:35:35 +02:00
Makefile License cleanup: add SPDX license identifiers to some files 2017-11-02 10:04:46 -07:00
match.c doc: ReSTify apparmor.txt 2017-05-18 10:32:38 -06:00
mount.c apparmor: fix regression in mount mediation when feature set is pinned 2018-01-10 09:31:22 +01:00
nulldfa.in apparmor: add a default null dfa 2017-01-16 01:18:34 -08:00
path.c apparmor: Move path lookup to using preallocated buffers 2017-06-08 11:29:34 -07:00
policy.c apparmor: fix leak of null profile name if profile allocation fails 2017-12-14 09:53:06 +01:00
policy_ns.c apparmor: ensure unconfined profiles have dfas initialized 2017-09-22 13:00:58 -07:00
policy_unpack.c Revert "apparmor: add base infastructure for socket mediation" 2017-10-26 19:35:35 +02:00
procattr.c apparmor: switch getprocattr to using label_print fns() 2017-06-10 17:11:39 -07:00
resource.c apparmor: move resource checks to using labels 2017-06-10 17:11:40 -07:00
secid.c apparmor: rename sid to secid 2017-01-16 00:42:17 -08:00