static int cross_ptrace_perm(struct aa_profile *tracer, struct aa_profile *tracee, u32 request, struct common_audit_data *sa) { if (PROFILE_MEDIATES(tracer, AA_CLASS_PTRACE)) return xcheck(profile_ptrace_perm(tracer, tracee, request, sa), profile_ptrace_perm(tracee, tracer, request << PTRACE_PERM_SHIFT, sa)); /* policy uses the old style capability check for ptrace */ if (profile_unconfined(tracer) || tracer == tracee) return 0; aad(sa)->label = &tracer->label; aad(sa)->target = tracee->base.hname; aad(sa)->request = 0; aad(sa)->error = aa_capable(&tracer->label, CAP_SYS_PTRACE, 1); return aa_audit(AUDIT_APPARMOR_AUTO, tracer, sa, audit_ptrace_cb); }
static int profile_tracee_perm(struct aa_profile *tracee, struct aa_label *tracer, u32 request, struct common_audit_data *sa) { if (profile_unconfined(tracee) || unconfined(tracer) || !PROFILE_MEDIATES(tracee, AA_CLASS_PTRACE)) return 0; return profile_ptrace_perm(tracee, tracer, request, sa); }
static int profile_tracer_perm(struct aa_profile *tracer, struct aa_label *tracee, u32 request, struct common_audit_data *sa) { if (profile_unconfined(tracer)) return 0; if (PROFILE_MEDIATES(tracer, AA_CLASS_PTRACE)) return profile_ptrace_perm(tracer, tracee, request, sa); /* profile uses the old style capability check for ptrace */ if (&tracer->label == tracee) return 0; aad(sa)->label = &tracer->label; aad(sa)->peer = tracee; aad(sa)->request = 0; aad(sa)->error = aa_capable(&tracer->label, CAP_SYS_PTRACE, CAP_OPT_NONE); return aa_audit(AUDIT_APPARMOR_AUTO, tracer, sa, audit_ptrace_cb); }