summaryrefslogtreecommitdiff
path: root/security/apparmor/policy.c
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-01-16 11:42:52 +0300
committerJohn Johansen <john.johansen@canonical.com>2017-01-16 12:18:40 +0300
commit078c73c63fb2878689da334f112507639c72c14f (patch)
treea1e4ea3567f70f0863b35faac815e2658af8473e /security/apparmor/policy.c
parentfd2a80438d736012129977bec779db093979057e (diff)
downloadlinux-078c73c63fb2878689da334f112507639c72c14f.tar.xz
apparmor: add profile and ns params to aa_may_manage_policy()
Policy management will be expanded beyond traditional unconfined root. This will require knowning the profile of the task doing the management and the ns view. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/policy.c')
-rw-r--r--security/apparmor/policy.c22
1 files changed, 10 insertions, 12 deletions
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index ef64c25b2a45..27d93aa58016 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -650,26 +650,24 @@ bool policy_admin_capable(struct aa_ns *ns)
/**
* aa_may_manage_policy - can the current task manage policy
+ * @profile: profile to check if it can manage policy
* @op: the policy manipulation operation being done
*
- * Returns: true if the task is allowed to manipulate policy
+ * Returns: 0 if the task is allowed to manipulate policy else error
*/
-bool aa_may_manage_policy(int op)
+int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op)
{
/* check if loading policy is locked out */
- if (aa_g_lock_policy) {
- audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
+ if (aa_g_lock_policy)
+ return audit_policy(profile, op, GFP_KERNEL, NULL,
"policy_locked", -EACCES);
- return 0;
- }
- if (!policy_admin_capable(NULL)) {
- audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
- "not policy admin", -EACCES);
- return 0;
- }
+ if (!policy_admin_capable(ns))
+ return audit_policy(profile, op, GFP_KERNEL, NULL,
+ "not policy admin", -EACCES);
- return 1;
+ /* TODO: add fine grained mediation of policy loads */
+ return 0;
}
static struct aa_profile *__list_lookup_parent(struct list_head *lh,