[PATCH] SELinux: retain ptracer SID across fork

This fixes a bug in SELinux to retain the ptracer SID (if any) across fork. Otherwise, SELinux will always deny attempts by traced children to exec domain-changing programs even if the policy would have allowed the tracer to trace the new domains as well. Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] SELinux: retain ptracer SID across fork
This fixes a bug in SELinux to retain the ptracer SID (if any) across fork. Otherwise, SELinux will always deny attempts by traced children to exec domain-changing programs even if the policy would have allowed the tracer to trace the new domains as well. Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
5334d6a1 · Stephen D. Smalley · Linus Torvalds · b9877c90 · 5334d6a1
Commit 5334d6a1 authored Oct 13, 2004 by Stephen D. Smalley Committed by Linus Torvalds Oct 13, 2004
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

security/selinux/hooks.c security/selinux/hooks.c +5 -0

No files found.
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2625,6 +2625,11 @@ static int selinux_task_alloc_security(struct task_struct *tsk)
 	tsec2->exec_sid = tsec1->exec_sid;
 	tsec2->create_sid = tsec1->create_sid;

+	/* Retain ptracer SID across fork, if any.
+	   This will be reset by the ptrace hook upon any
+	   subsequent ptrace_attach operations. */
+	tsec2->ptrace_sid = tsec1->ptrace_sid;
+
 	return 0;
 }