apparmor: fix ptrace label match when matching stacked labels
Given a label with a profile stack of
A//&B or A//&C ...
A ptrace rule should be able to specify a generic trace pattern with
a rule like
ptrace trace A//&**,
however this is failing because while the correct label match routine
is called, it is being done post label decomposition so it is always
being done against a profile instead of the stacked label.
To fix this refactor the cross check to pass the full peer label in to
Fixes: 290f458a4f16 ("apparmor: allow ptrace checks to be finer grained than just capability")
Cc: Stable <email@example.com>
Reported-by: Matthew Garrett <firstname.lastname@example.org>
Tested-by: Matthew Garrett <email@example.com>
Signed-off-by: John Johansen <firstname.lastname@example.org>
2 files changed