Allow confined processes th ptrace other processes if they have CAP_SYS_PTRACE.

kernel-patches/for-mainline/ptrace.diff

@@ -0,0 +1,36 @@
+Index: b/security/apparmor/lsm.c
+===================================================================
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -74,10 +74,28 @@ static int aa_reject_syscall(struct task
+ static int apparmor_ptrace(struct task_struct *parent,
+ 			    struct task_struct *child)
+ {
+-	int error = cap_ptrace(parent, child);
++	int error;
++
++	/**
++	 * Right now, we only allow confined processes to ptrace other
++	 * processes if they have CAP_SYS_PTRACE. We could allow ptrace
++	 * under the rules that the kernel normally permits if the two
++	 * processes are running under the same profile, but then we
++	 * would probably have to reject profile changes for processes
++	 * that are being ptraces as well as for processes ptracing
++	 * others.
++	 */
++
++	error = cap_ptrace(parent, child);
++	if (!error) {
++		struct aa_profile *profile;
+ 
+-	if (!error)
+-		error = aa_reject_syscall(parent, GFP_KERNEL, "ptrace");
++		profile = aa_get_profile(parent);
++		if (profile) {
++			error = aa_capability(profile, CAP_SYS_PTRACE);
++		}
++		aa_put_profile(profile);
++	}
+ 
+ 	return error;
+ }

kernel-patches/for-mainline/series

@@ -80,3 +80,4 @@ rework-locking.diff
 rework-locking-2.diff
 unreachabe-paths.diff
 rename-aa_fork.diff
+ptrace.diff