[SRU][Bionic][PATCH 0/1] Fix ptrace read check (LP: 1890848)

Georgia Garcia georgia.garcia at canonical.com
Fri Jul 16 16:14:37 UTC 2021

BugLink: https://bugs.launchpad.net/bugs/1890848

SRU Justification:

Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when
only 'ptrace read' should be required according to 'man namespaces':

"Permission to dereference or read (readlink(2)) these symbolic links
is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see


Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace
read check.

[Test Plan]

BugLink contains the source of a binary that reproduces the issue. In
summary, it executes readlink() on /proc/*/ns/*. There's also a policy
that has only 'ptrace read' permission. When the bug is fixed,
execution is allowed.

[Where problems could occur]

The regression can be considered as low, since it's lowering the number
of permissions required. Existing policies that already contain the
permission 'ptrace trace' and 'ptrace read' will have a broader policy
than required.

John Johansen (1):
  apparmor: fix ptrace read check

 security/apparmor/lsm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)


More information about the kernel-team mailing list