On 09/28/2018 06:49 PM, Jann Horn wrote: > begin_current_label_crit_section() must run in sleepable context because > when label_is_stale() is true, aa_replace_current_label() runs, which uses > prepare_creds(), which can sleep. > > Until now, the ptraceme access check (which runs with tasklist_lock held) > violated this rule. > yep, thanks
I've pulled this into my tree and will send it up with another fix Acked-by: John Johansen <[email protected]> > Fixes: b2d09ae449ced ("apparmor: move ptrace checks to using labels") > Reported-by: Cyrill Gorcunov <[email protected]> > Reported-by: kernel test robot <[email protected]> > Signed-off-by: Jann Horn <[email protected]> > --- > security/apparmor/lsm.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c > index 8c7f46a6a8dc..0f56431b4b2f 100644 > --- a/security/apparmor/lsm.c > +++ b/security/apparmor/lsm.c > @@ -131,11 +131,11 @@ static int apparmor_ptrace_traceme(struct task_struct > *parent) > struct aa_label *tracer, *tracee; > int error; > > - tracee = begin_current_label_crit_section(); > + tracee = __begin_current_label_crit_section(); > tracer = aa_get_task_label(parent); > error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); > aa_put_label(tracer); > - end_current_label_crit_section(tracee); > + __end_current_label_crit_section(tracee); > > return error; > } > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
