From: Stephen Smalley <sds@epoch.ncsc.mil>

Looking again at the SELinux ptrace check, I believe that there is an
unrelated race due to the fact that the parent link is only updated after
releasing the task lock in ptrace_attach (and this is necessary as task lock
doesn't nest with write lock of tasklist_lock).

The patch below changes SELinux to save the tracing process' SID upon a
successful selinux_ptrace hook call and then use that SID in the ptrace check
in apply_creds in order to avoid such races.  This allows us to preserve the
fine-grained process-to-process ptrace check upon exec (vs.  the global
CAP_SYS_PTRACE privilege => PT_PTRACE_CAP flag used by the capability module)
while still avoiding races.