apparmor: allow ptrace checks to be finer grained than just capability

Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2017-06-09 14:38:35 -0700
committer: John Johansen <john.johansen@canonical.com> 2017-06-10 17:11:42 -0700
commit: 290f458a4f16f9cf6cb6562b249e69fe1c3c3a07 (patch)
tree: 41b1a79cb019d8fbbb1b07c28e5d926656728ccd /security/apparmor/apparmorfs.c
parent: b2d09ae449cedc6f276ac485c013d22a97d36992 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index d24100f8fd98..d1a6ce499776 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -2086,6 +2086,11 @@ static struct aa_sfs_entry aa_sfs_entry_file[] = {
 	{ }
 };
 
+static struct aa_sfs_entry aa_sfs_entry_ptrace[] = {
+	AA_SFS_FILE_STRING("mask", "read trace"),
+	{ }
+};
+
 static struct aa_sfs_entry aa_sfs_entry_domain[] = {
 	AA_SFS_FILE_BOOLEAN("change_hat",	1),
 	AA_SFS_FILE_BOOLEAN("change_hatv",	1),
@@ -2125,6 +2130,7 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = {
 	AA_SFS_FILE_U64("capability",		VFS_CAP_FLAGS_MASK),
 	AA_SFS_DIR("rlimit",			aa_sfs_entry_rlimit),
 	AA_SFS_DIR("caps",			aa_sfs_entry_caps),
+	AA_SFS_DIR("ptrace",			aa_sfs_entry_ptrace),
 	AA_SFS_DIR("query",			aa_sfs_entry_query),
 	{ }
 };
author	John Johansen <john.johansen@canonical.com>	2017-06-09 14:38:35 -0700
committer	John Johansen <john.johansen@canonical.com>	2017-06-10 17:11:42 -0700
commit	290f458a4f16f9cf6cb6562b249e69fe1c3c3a07 (patch)
tree	41b1a79cb019d8fbbb1b07c28e5d926656728ccd /security/apparmor/apparmorfs.c
parent	b2d09ae449cedc6f276ac485c013d22a97d36992 (diff)