apparmor: allow ptrace checks to be finer grained than just capability

Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2017-06-09 14:38:35 -0700
committer: John Johansen <john.johansen@canonical.com> 2017-06-10 17:11:42 -0700
commit: 290f458a4f16f9cf6cb6562b249e69fe1c3c3a07 (patch)
tree: 41b1a79cb019d8fbbb1b07c28e5d926656728ccd /security/apparmor/include/ipc.h
parent: apparmor: move ptrace checks to using labels (diff)
download: wireguard-linux-290f458a4f16f9cf6cb6562b249e69fe1c3c3a07.tar.xz
wireguard-linux-290f458a4f16f9cf6cb6562b249e69fe1c3c3a07.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/security/apparmor/include/ipc.h b/security/apparmor/include/ipc.h
index fb3e751e6eed..656fdb81c8a0 100644
--- a/security/apparmor/include/ipc.h
+++ b/security/apparmor/include/ipc.h
@@ -21,6 +21,12 @@ struct aa_profile;
 
 #define AA_PTRACE_TRACE		MAY_WRITE
 #define AA_PTRACE_READ		MAY_READ
+#define AA_MAY_BE_TRACED	AA_MAY_APPEND
+#define AA_MAY_BE_READ		AA_MAY_CREATE
+#define PTRACE_PERM_SHIFT	2
+
+#define AA_PTRACE_PERM_MASK (AA_PTRACE_READ | AA_PTRACE_TRACE | \
+			     AA_MAY_BE_READ | AA_MAY_BE_TRACED)
 
 int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
 		  u32 request);
author	John Johansen <john.johansen@canonical.com>	2017-06-09 14:38:35 -0700
committer	John Johansen <john.johansen@canonical.com>	2017-06-10 17:11:42 -0700
commit	290f458a4f16f9cf6cb6562b249e69fe1c3c3a07 (patch)
tree	41b1a79cb019d8fbbb1b07c28e5d926656728ccd /security/apparmor/include/ipc.h
parent	apparmor: move ptrace checks to using labels (diff)
download	wireguard-linux-290f458a4f16f9cf6cb6562b249e69fe1c3c3a07.tar.xz wireguard-linux-290f458a4f16f9cf6cb6562b249e69fe1c3c3a07.zip