--- linux-2.6.18.2/arch/alpha/kernel/ptrace.c 2006-04-09 13:49:39 +0200 +++ linux-2.6.18.2-vs2.1.1/arch/alpha/kernel/ptrace.c 2006-10-06 23:10:42 +0200 @@ -283,6 +283,11 @@ do_sys_ptrace(long request, long pid, lo goto out_notsk; } + if (!vx_check(vx_task_xid(child), VX_WATCH_P|VX_IDENT)) { + ret = -EPERM; + goto out; + } + if (request == PTRACE_ATTACH) { ret = ptrace_attach(child); goto out; --- linux-2.6.18.2/arch/ia64/kernel/ptrace.c 2006-09-20 16:57:58 +0200 +++ linux-2.6.18.2-vs2.1.1/arch/ia64/kernel/ptrace.c 2006-10-07 04:29:47 +0200 @@ -1442,6 +1442,9 @@ sys_ptrace (long request, pid_t pid, uns read_unlock(&tasklist_lock); if (!child) goto out; + if (!vx_check(vx_task_xid(child), VX_WATCH_P|VX_IDENT)) + goto out_tsk; + ret = -EPERM; if (pid == 1) /* no messing around with init! */ goto out_tsk; --- linux-2.6.18.2/arch/m68k/kernel/ptrace.c 2006-09-20 16:57:58 +0200 +++ linux-2.6.18.2-vs2.1.1/arch/m68k/kernel/ptrace.c 2006-09-25 15:40:02 +0200 @@ -279,6 +279,8 @@ long arch_ptrace(struct task_struct *chi ret = ptrace_request(child, request, addr, data); break; } + if (!vx_check(vx_task_xid(child), VX_WATCH_P|VX_IDENT)) + goto out_tsk; return ret; out_eio: --- linux-2.6.18.2/arch/mips/kernel/ptrace.c 2006-09-20 16:57:58 +0200 +++ linux-2.6.18.2-vs2.1.1/arch/mips/kernel/ptrace.c 2006-10-28 21:04:21 +0200 @@ -171,6 +171,9 @@ long arch_ptrace(struct task_struct *chi { int ret; + if (!vx_check(vx_task_xid(child), VX_WATCH_P|VX_IDENT)) + goto out; + switch (request) { /* when I and D space are separate, these will need to be fixed. */ case PTRACE_PEEKTEXT: /* read word at location addr. */ --- linux-2.6.18.2/arch/s390/kernel/ptrace.c 2006-06-18 04:52:33 +0200 +++ linux-2.6.18.2-vs2.1.1/arch/s390/kernel/ptrace.c 2006-09-25 15:40:02 +0200 @@ -723,7 +723,13 @@ sys_ptrace(long request, long pid, long goto out; } + if (!vx_check(vx_task_xid(child), VX_WATCH_P|VX_IDENT)) { + ret = -EPERM; + goto out_tsk; + } + ret = do_ptrace(child, request, addr, data); +out_tsk: put_task_struct(child); out: unlock_kernel(); --- linux-2.6.18.2/arch/sparc/kernel/ptrace.c 2006-04-09 13:49:44 +0200 +++ linux-2.6.18.2-vs2.1.1/arch/sparc/kernel/ptrace.c 2006-10-06 23:10:42 +0200 @@ -299,6 +299,10 @@ asmlinkage void do_ptrace(struct pt_regs pt_error_return(regs, -ret); goto out; } + if (!vx_check(vx_task_xid(child), VX_WATCH_P|VX_IDENT)) { + pt_error_return(regs, ESRCH); + goto out_tsk; + } if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH) || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) { --- linux-2.6.18.2/arch/sparc64/kernel/ptrace.c 2006-06-18 04:52:35 +0200 +++ linux-2.6.18.2-vs2.1.1/arch/sparc64/kernel/ptrace.c 2006-10-06 23:10:42 +0200 @@ -212,6 +212,10 @@ asmlinkage void do_ptrace(struct pt_regs pt_error_return(regs, -ret); goto out; } + if (!vx_check(vx_task_xid(child), VX_WATCH_P|VX_IDENT)) { + pt_error_return(regs, ESRCH); + goto out_tsk; + } if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH) || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) { --- linux-2.6.18.2/arch/v850/kernel/ptrace.c 2006-04-09 13:49:44 +0200 +++ linux-2.6.18.2-vs2.1.1/arch/v850/kernel/ptrace.c 2006-09-25 15:40:02 +0200 @@ -117,6 +117,9 @@ long arch_ptrace(struct task_struct *chi { int rval; + if (!vx_check(vx_task_xid(child), VX_WATCH_P|VX_IDENT)) + goto out; + switch (request) { unsigned long val, copied; --- linux-2.6.18.2/kernel/ptrace.c 2006-09-20 16:58:44 +0200 +++ linux-2.6.18.2-vs2.1.1/kernel/ptrace.c 2006-10-07 04:29:47 +0200 @@ -144,6 +144,11 @@ static int may_attach(struct task_struct dumpable = task->mm->dumpable; if (!dumpable && !capable(CAP_SYS_PTRACE)) return -EPERM; + if (!vx_check(task->xid, VX_ADMIN_P|VX_IDENT)) + return -EPERM; + if (!vx_check(task->xid, VX_IDENT) && + !task_vx_flags(task, VXF_STATE_ADMIN, 0)) + return -EACCES; return security_ptrace(current, task); } --- linux-2.6.18.2/kernel/ptrace.c 2006-09-20 16:58:44 +0200 +++ linux-2.6.18.2-vs2.1.1/kernel/ptrace.c 2006-10-07 04:29:47 +0200 @@ -521,6 +526,10 @@ asmlinkage long sys_ptrace(long request, goto out; } + ret = -EPERM; + if (!vx_check(vx_task_xid(child), VX_WATCH_P|VX_IDENT)) + goto out_put_task_struct; + if (request == PTRACE_ATTACH) { ret = ptrace_attach(child); goto out_put_task_struct;