SELinux: Handle audit locking for PTRACE_MODE_IBPB The SELinux audit code locking cannot be used from the task switching code, which is where PTRACE_MODE_IBPB comes from. As this is a system check, not a user action, audit is not needed, and would generate noise. Use the unaudited check for this case. Signed-off-by: Casey Schaufler --- kernel/ptrace.c | 4 +--- security/selinux/hooks.c | 5 +++++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 5c5e7cb597cd..202a4d9c2af7 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -330,9 +330,7 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode) !ptrace_has_cap(mm->user_ns, mode)))) return -EPERM; - if (!(mode & PTRACE_MODE_NOACCESS_CHK)) - return security_ptrace_access_check(task, mode); - return 0; + return security_ptrace_access_check(task, mode); } bool ptrace_may_access(struct task_struct *task, unsigned int mode) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 161a4f29f860..30d21142e9fe 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2215,7 +2215,12 @@ static int selinux_ptrace_access_check(struct task_struct *child, { u32 sid = current_sid(); u32 csid = task_sid(child); + struct av_decision avd; + if (mode == PTRACE_MODE_IBPB) + return avc_has_perm_noaudit(&selinux_state, sid, csid, + SECCLASS_PROCESS, PROCESS__PTRACE, + 0, &avd); if (mode & PTRACE_MODE_READ) return avc_has_perm(&selinux_state, sid, csid, SECCLASS_FILE, FILE__READ, NULL);