Commit 0c6181cb authored by Paul Moore's avatar Paul Moore

selinux: consolidate the ptrace parent lookup code

We lookup the tracing parent in two places, using effectively the
same code, let's consolidate it.
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 4b57d6bc
...@@ -2229,6 +2229,20 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) ...@@ -2229,6 +2229,20 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
/* binprm security operations */ /* binprm security operations */
static u32 ptrace_parent_sid(struct task_struct *task)
{
u32 sid = 0;
struct task_struct *tracer;
rcu_read_lock();
tracer = ptrace_parent(task);
if (tracer)
sid = task_sid(tracer);
rcu_read_unlock();
return sid;
}
static int check_nnp_nosuid(const struct linux_binprm *bprm, static int check_nnp_nosuid(const struct linux_binprm *bprm,
const struct task_security_struct *old_tsec, const struct task_security_struct *old_tsec,
const struct task_security_struct *new_tsec) const struct task_security_struct *new_tsec)
...@@ -2350,18 +2364,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) ...@@ -2350,18 +2364,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
* changes its SID has the appropriate permit */ * changes its SID has the appropriate permit */
if (bprm->unsafe & if (bprm->unsafe &
(LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
struct task_struct *tracer; u32 ptsid = ptrace_parent_sid(current);
struct task_security_struct *sec;
u32 ptsid = 0;
rcu_read_lock();
tracer = ptrace_parent(current);
if (likely(tracer != NULL)) {
sec = __task_cred(tracer)->security;
ptsid = sec->sid;
}
rcu_read_unlock();
if (ptsid != 0) { if (ptsid != 0) {
rc = avc_has_perm(ptsid, new_tsec->sid, rc = avc_has_perm(ptsid, new_tsec->sid,
SECCLASS_PROCESS, SECCLASS_PROCESS,
...@@ -5677,7 +5680,6 @@ static int selinux_setprocattr(struct task_struct *p, ...@@ -5677,7 +5680,6 @@ static int selinux_setprocattr(struct task_struct *p,
char *name, void *value, size_t size) char *name, void *value, size_t size)
{ {
struct task_security_struct *tsec; struct task_security_struct *tsec;
struct task_struct *tracer;
struct cred *new; struct cred *new;
u32 sid = 0, ptsid; u32 sid = 0, ptsid;
int error; int error;
...@@ -5784,14 +5786,8 @@ static int selinux_setprocattr(struct task_struct *p, ...@@ -5784,14 +5786,8 @@ static int selinux_setprocattr(struct task_struct *p,
/* Check for ptracing, and update the task SID if ok. /* Check for ptracing, and update the task SID if ok.
Otherwise, leave SID unchanged and fail. */ Otherwise, leave SID unchanged and fail. */
ptsid = 0; ptsid = ptrace_parent_sid(p);
rcu_read_lock(); if (ptsid != 0) {
tracer = ptrace_parent(p);
if (tracer)
ptsid = task_sid(tracer);
rcu_read_unlock();
if (tracer) {
error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
PROCESS__PTRACE, NULL); PROCESS__PTRACE, NULL);
if (error) if (error)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment