1
Index: b/security/apparmor/lsm.c
2
===================================================================
3
--- a/security/apparmor/lsm.c
4
+++ b/security/apparmor/lsm.c
5
@@ -74,10 +74,28 @@ static int aa_reject_syscall(struct task
6
static int apparmor_ptrace(struct task_struct *parent,
7
struct task_struct *child)
9
- int error = cap_ptrace(parent, child);
13
+ * Right now, we only allow confined processes to ptrace other
14
+ * processes if they have CAP_SYS_PTRACE. We could allow ptrace
15
+ * under the rules that the kernel normally permits if the two
16
+ * processes are running under the same profile, but then we
17
+ * would probably have to reject profile changes for processes
18
+ * that are being ptraces as well as for processes ptracing
22
+ error = cap_ptrace(parent, child);
24
+ struct aa_profile *profile;
27
- error = aa_reject_syscall(parent, GFP_KERNEL, "ptrace");
28
+ profile = aa_get_profile(parent);
30
+ error = aa_capability(profile, CAP_SYS_PTRACE);
32
+ aa_put_profile(profile);