summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-01-16 11:42:51 +0300
committerJohn Johansen <john.johansen@canonical.com>2017-01-16 12:18:40 +0300
commitfd2a80438d736012129977bec779db093979057e (patch)
treee3d544c4617f91a39b953f7ffa93f7fda662bc3b /security
parent2bd8dbbf22fe9eb2a99273436f815d49ceb23a8f (diff)
downloadlinux-fd2a80438d736012129977bec779db093979057e.tar.xz
apparmor: add ns being viewed as a param to policy_admin_capable()
Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/include/policy.h2
-rw-r--r--security/apparmor/lsm.c12
-rw-r--r--security/apparmor/policy.c12
3 files changed, 16 insertions, 10 deletions
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index b0b65c525bcc..27f9171fa31f 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -300,7 +300,7 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
}
bool policy_view_capable(struct aa_ns *ns);
-bool policy_admin_capable(void);
+bool policy_admin_capable(struct aa_ns *ns);
bool aa_may_manage_policy(int op);
#endif /* __AA_POLICY_H */
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index f83ba33651a0..09f1c407c4d8 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -738,7 +738,7 @@ __setup("apparmor=", apparmor_enabled_setup);
/* set global flag turning off the ability to load policy */
static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
{
- if (!policy_admin_capable())
+ if (!policy_admin_capable(NULL))
return -EPERM;
return param_set_bool(val, kp);
}
@@ -752,7 +752,7 @@ static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
static int param_set_aabool(const char *val, const struct kernel_param *kp)
{
- if (!policy_admin_capable())
+ if (!policy_admin_capable(NULL))
return -EPERM;
return param_set_bool(val, kp);
}
@@ -766,7 +766,7 @@ static int param_get_aabool(char *buffer, const struct kernel_param *kp)
static int param_set_aauint(const char *val, const struct kernel_param *kp)
{
- if (!policy_admin_capable())
+ if (!policy_admin_capable(NULL))
return -EPERM;
return param_set_uint(val, kp);
}
@@ -792,7 +792,7 @@ static int param_get_audit(char *buffer, struct kernel_param *kp)
static int param_set_audit(const char *val, struct kernel_param *kp)
{
int i;
- if (!policy_admin_capable())
+ if (!policy_admin_capable(NULL))
return -EPERM;
if (!apparmor_enabled)
@@ -813,7 +813,7 @@ static int param_set_audit(const char *val, struct kernel_param *kp)
static int param_get_mode(char *buffer, struct kernel_param *kp)
{
- if (!policy_admin_capable())
+ if (!policy_view_capable(NULL))
return -EPERM;
if (!apparmor_enabled)
@@ -825,7 +825,7 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)
static int param_set_mode(const char *val, struct kernel_param *kp)
{
int i;
- if (!policy_admin_capable())
+ if (!policy_admin_capable(NULL))
return -EPERM;
if (!apparmor_enabled)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index f092c04c7c4e..ef64c25b2a45 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -637,9 +637,15 @@ bool policy_view_capable(struct aa_ns *ns)
return response;
}
-bool policy_admin_capable(void)
+bool policy_admin_capable(struct aa_ns *ns)
{
- return policy_view_capable(NULL) && !aa_g_lock_policy;
+ struct user_namespace *user_ns = current_user_ns();
+ bool capable = ns_capable(user_ns, CAP_MAC_ADMIN);
+
+ AA_DEBUG("cap_mac_admin? %d\n", capable);
+ AA_DEBUG("policy locked? %d\n", aa_g_lock_policy);
+
+ return policy_view_capable(ns) && capable && !aa_g_lock_policy;
}
/**
@@ -657,7 +663,7 @@ bool aa_may_manage_policy(int op)
return 0;
}
- if (!policy_admin_capable()) {
+ if (!policy_admin_capable(NULL)) {
audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
"not policy admin", -EACCES);
return 0;