selinux: consolidate the ptrace parent lookup code (0c6181cb) · Commits · jan.koester / Linux

security/selinux/hooks.c

+17 −21

Original line number	Diff line number	Diff line
		@@ -2229,6 +2229,20 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)

		/* binprm security operations */

		static u32 ptrace_parent_sid(struct task_struct *task)
		{
		u32 sid = 0;
		struct task_struct *tracer;

		rcu_read_lock();
		tracer = ptrace_parent(task);
		if (tracer)
		sid = task_sid(tracer);
		rcu_read_unlock();

		return sid;
		}

		static int check_nnp_nosuid(const struct linux_binprm *bprm,
		const struct task_security_struct *old_tsec,
		const struct task_security_struct *new_tsec)
		@@ -2350,18 +2364,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
		* changes its SID has the appropriate permit */
		if (bprm->unsafe &
		(LSM_UNSAFE_PTRACE \| LSM_UNSAFE_PTRACE_CAP)) {
		struct task_struct *tracer;
		struct task_security_struct *sec;
		u32 ptsid = 0;

		rcu_read_lock();
		tracer = ptrace_parent(current);
		if (likely(tracer != NULL)) {
		sec = __task_cred(tracer)->security;
		ptsid = sec->sid;
		}
		rcu_read_unlock();

		u32 ptsid = ptrace_parent_sid(current);
		if (ptsid != 0) {
		rc = avc_has_perm(ptsid, new_tsec->sid,
		SECCLASS_PROCESS,
		@@ -5677,7 +5680,6 @@ static int selinux_setprocattr(struct task_struct *p,
		char name, void value, size_t size)
		{
		struct task_security_struct *tsec;
		struct task_struct *tracer;
		struct cred *new;
		u32 sid = 0, ptsid;
		int error;
		@@ -5784,14 +5786,8 @@ static int selinux_setprocattr(struct task_struct *p,

		/* Check for ptracing, and update the task SID if ok.
		Otherwise, leave SID unchanged and fail. */
		ptsid = 0;
		rcu_read_lock();
		tracer = ptrace_parent(p);
		if (tracer)
		ptsid = task_sid(tracer);
		rcu_read_unlock();

		if (tracer) {
		ptsid = ptrace_parent_sid(p);
		if (ptsid != 0) {
		error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
		PROCESS__PTRACE, NULL);
		if (error)