Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1421933imm; Fri, 28 Sep 2018 18:49:51 -0700 (PDT) X-Google-Smtp-Source: ACcGV61XbQEQyEQCVgSrgep/l08HMGU7QJq/A9BAOw8E6HdVx1gCGHtF+0opfo+0viLpn4jXrwDU X-Received: by 2002:a63:4443:: with SMTP id t3-v6mr1112774pgk.102.1538185791456; Fri, 28 Sep 2018 18:49:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538185791; cv=none; d=google.com; s=arc-20160816; b=An4JOst6hC0jikP6QwpBMrPmPlfyybyk5ypl6lmlmyyt8z4Eb3x/RgvhdEjEX5Ti+m et/lkvuEAWfjIjE1cjCoIFSZo+TIOONcsxVst/iQ8BXUr9Z/tAiMTF2RGPwtqkVnS4hC pEgTJLvv0HBcSi1Xutp5KI/tmWVA+WkC1fwZLWnPEc06vnkHbskqDwSJu80Sw/SGs8HU 3XRLqE3rLXzxPOc/IRtKnj4R0GarQnkxEoj97bFqhHhFAJU/czUm/r+5OqTi7yvK8+V8 yP8GbcQdd1H9j9lWvU5LnZDG55UtLmRwurxUH1xRmanT4bsg4hNjhDhtVdluBrUHzTAw FYnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:mime-version :message-id:date:dkim-signature; bh=YBvPWNStdSCZdwpuY045db/PjMLed+h/ETzcHBpouRQ=; b=RovbFISgvZTyQP7oYAqMNITUPCwWOMuLn1DZAyjuUZKTcBDj4pMROS1b9fTzcfbCQx 5I7H8r9clh+uFD0aIWqjcGgA0i4EeztCqyxZyx2PExzV2M+qa1Rb9RhrsH6hompsWyCa 64d/o+LtaPy9q8YsLSdEhTU0gmK7t5UOCxWoK9cfH6suGfBhDZfj65fNRZFMh5+nUxiI Rx8VsO+61I3ZDm+u9r/jzoSCe5n9cb7BrxLrDaBOouFOPrnPD2iSkGzw8ITqQuALHJ+u ZjMN12tLtaE4ALrMCh6jiEkJzHSvxsN+wvXc+V1SXqSyay4CFKnuxw/fhtCNbY4rGHP3 ZAcw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=McxtkQgg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c8-v6si6030419pgh.418.2018.09.28.18.49.36; Fri, 28 Sep 2018 18:49:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=McxtkQgg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727352AbeI2IP7 (ORCPT + 99 others); Sat, 29 Sep 2018 04:15:59 -0400 Received: from mail-io1-f73.google.com ([209.85.166.73]:51545 "EHLO mail-io1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726617AbeI2IP7 (ORCPT ); Sat, 29 Sep 2018 04:15:59 -0400 Received: by mail-io1-f73.google.com with SMTP id w23-v6so7600094iob.18 for ; Fri, 28 Sep 2018 18:49:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=YBvPWNStdSCZdwpuY045db/PjMLed+h/ETzcHBpouRQ=; b=McxtkQggJYn2BBONilDbhns2dT6bUDeOcq3AdKGWlqzjnMmE1a2a2gM5zpVJ9D22La PtljhMT+cSXYYNn7o1X3Ap3mhll+PDujSybcEac4ApcWRYqxLp9sbrmH6GJKkySjHtgM zEOubcUY0d2ywH2vIwOcLVwXMY8M1PW4mkHInCESX2TK4xA7SJHQwbYsNLI788rJcvgx Sd/hNfgdqKe+wiG10lg8PkuspQCrWNCQtPFximDzyz99ArTTTJHvPp3JhaFtzI24vGOi G4kJsEU8+8WNbAWTOfE3gp0OalupkbCEsyKY5Chte4qghqIabh8jxp5Pc3Qz5xN8dY/X V2gQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=YBvPWNStdSCZdwpuY045db/PjMLed+h/ETzcHBpouRQ=; b=LzuFoJl07a8kfj7XCx9krXskJyNfoMK4psze3qzGC7/olK8Uh1cDuHeZwdGDr8vlAU 4sqSQ37B4+lMfsxrbXMQ+4CMc8XxwaBYr8MXqGzThcHC7OJO7ANKhsPJx61b7cCzPcTZ P74XUxR7y/Q6rmsMPcXbicmlFlmngR5gep0LYe2PdHh08smLG1EyrnXFtYsQHYHhKGkq 4Yro8qovbseQ4unrPwBIr4Q0XcGBHNkvaXnUXw5eJCGVmuEnOfzH2juq5yQiW+LpSeqn g/+IsZQOkXW6a+X4TngTHMTW51m/p9K7v0GL5aBX/rn3dDZwc7eFQ7Jlei0IR/rei9W3 KzHg== X-Gm-Message-State: ABuFfogm4oczsJ+VglCO3CRPkFfSCj0VSSzrqjS3G1POGRXbHDUKMwNa r/0j/Y3kRPh7f/xCLRBmYrGlxQahrQ== X-Received: by 2002:a24:56ce:: with SMTP id o197-v6mr3668302itb.32.1538185770744; Fri, 28 Sep 2018 18:49:30 -0700 (PDT) Date: Sat, 29 Sep 2018 03:49:26 +0200 Message-Id: <20180929014926.227002-1-jannh@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.19.0.605.g01d371f741-goog Subject: [PATCH] apparmor: don't try to replace stale label in ptraceme check From: Jann Horn To: John Johansen , apparmor@lists.ubuntu.com, jannh@google.com Cc: linux-kernel@vger.kernel.org, Cyrill Gorcunov , kernel test robot Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org begin_current_label_crit_section() must run in sleepable context because when label_is_stale() is true, aa_replace_current_label() runs, which uses prepare_creds(), which can sleep. Until now, the ptraceme access check (which runs with tasklist_lock held) violated this rule. Fixes: b2d09ae449ced ("apparmor: move ptrace checks to using labels") Reported-by: Cyrill Gorcunov Reported-by: kernel test robot Signed-off-by: Jann Horn --- security/apparmor/lsm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 8c7f46a6a8dc..0f56431b4b2f 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -131,11 +131,11 @@ static int apparmor_ptrace_traceme(struct task_struct *parent) struct aa_label *tracer, *tracee; int error; - tracee = begin_current_label_crit_section(); + tracee = __begin_current_label_crit_section(); tracer = aa_get_task_label(parent); error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); aa_put_label(tracer); - end_current_label_crit_section(tracee); + __end_current_label_crit_section(tracee); return error; } -- 2.19.0.605.g01d371f741-goog