Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm...

[karo-tx-linux.git] / security / yama / yama_lsm.c

diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 2663145d1197a104b71f0e2feca175d21156ee00..23414b93771f30ec82ccf76b6cfb49fbed27edef 100644 (file)
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -298,14 +298,18 @@ int yama_ptrace_access_check(struct task_struct *child,
                        /* No additional restrictions. */
                        break;
                case YAMA_SCOPE_RELATIONAL:
+                       rcu_read_lock();
                        if (!task_is_descendant(current, child) &&
                            !ptracer_exception_found(current, child) &&
-                           !ns_capable(task_user_ns(child), CAP_SYS_PTRACE))
+                           !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
                                rc = -EPERM;
+                       rcu_read_unlock();
                        break;
                case YAMA_SCOPE_CAPABILITY:
-                       if (!ns_capable(task_user_ns(child), CAP_SYS_PTRACE))
+                       rcu_read_lock();
+                       if (!ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
                                rc = -EPERM;
+                       rcu_read_unlock();
                        break;
                case YAMA_SCOPE_NO_ATTACH:
                default:
@@ -343,8 +347,10 @@ int yama_ptrace_traceme(struct task_struct *parent)
        /* Only disallow PTRACE_TRACEME on more aggressive settings. */
        switch (ptrace_scope) {
        case YAMA_SCOPE_CAPABILITY:
-               if (!ns_capable(task_user_ns(parent), CAP_SYS_PTRACE))
+               rcu_read_lock();
+               if (!ns_capable(__task_cred(parent)->user_ns, CAP_SYS_PTRACE))
                        rc = -EPERM;
+               rcu_read_unlock();
                break;
        case YAMA_SCOPE_NO_ATTACH:
                rc = -EPERM;