From: Chris Wright <chrisw@sous-sol.org>

PTRACE_TRACEME doesn't have proper capabilities validation when parent is
less privileged than child.  Issue pointed out by Ram Gupta
<ram.gupta5@gmail.com>.

Note: I haven't identified a strong security issue, and it's a small ABI
change that could break apps that rely on existing behaviour (which allows
parent that is less privileged than child to ptrace when child does
PTRACE_TRACEME).

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Cc: Ram Gupta <ram.gupta5@gmail.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 security/commoncap.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff -puN security/commoncap.c~make-cap_ptrace-enforce-ptrace_tracme-checks security/commoncap.c
--- devel/security/commoncap.c~make-cap_ptrace-enforce-ptrace_tracme-checks	2006-03-09 19:44:50.000000000 -0800
+++ devel-akpm/security/commoncap.c	2006-03-09 19:44:50.000000000 -0800
@@ -60,8 +60,8 @@ int cap_settime(struct timespec *ts, str
 int cap_ptrace (struct task_struct *parent, struct task_struct *child)
 {
 	/* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
-	if (!cap_issubset (child->cap_permitted, current->cap_permitted) &&
-	    !capable(CAP_SYS_PTRACE))
+	if (!cap_issubset(child->cap_permitted, parent->cap_permitted) &&
+	    !__capable(parent, CAP_SYS_PTRACE))
 		return -EPERM;
 	return 0;
 }
_