diff options
author | John Johansen <john.johansen@canonical.com> | 2017-01-16 00:42:51 -0800 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2017-01-16 01:18:40 -0800 |
commit | fd2a80438d736012129977bec779db093979057e (patch) | |
tree | e3d544c4617f91a39b953f7ffa93f7fda662bc3b | |
parent | 2bd8dbbf22fe9eb2a99273436f815d49ceb23a8f (diff) | |
download | linux-fd2a80438d736012129977bec779db093979057e.tar.bz2 |
apparmor: add ns being viewed as a param to policy_admin_capable()
Prepare for a tighter pairing of user namespaces and apparmor policy
namespaces, by making the ns to be viewed available.
Signed-off-by: John Johansen <john.johansen@canonical.com>
-rw-r--r-- | security/apparmor/include/policy.h | 2 | ||||
-rw-r--r-- | security/apparmor/lsm.c | 12 | ||||
-rw-r--r-- | security/apparmor/policy.c | 12 |
3 files changed, 16 insertions, 10 deletions
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index b0b65c525bcc..27f9171fa31f 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -300,7 +300,7 @@ static inline int AUDIT_MODE(struct aa_profile *profile) } bool policy_view_capable(struct aa_ns *ns); -bool policy_admin_capable(void); +bool policy_admin_capable(struct aa_ns *ns); bool aa_may_manage_policy(int op); #endif /* __AA_POLICY_H */ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index f83ba33651a0..09f1c407c4d8 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -738,7 +738,7 @@ __setup("apparmor=", apparmor_enabled_setup); /* set global flag turning off the ability to load policy */ static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) { - if (!policy_admin_capable()) + if (!policy_admin_capable(NULL)) return -EPERM; return param_set_bool(val, kp); } @@ -752,7 +752,7 @@ static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) static int param_set_aabool(const char *val, const struct kernel_param *kp) { - if (!policy_admin_capable()) + if (!policy_admin_capable(NULL)) return -EPERM; return param_set_bool(val, kp); } @@ -766,7 +766,7 @@ static int param_get_aabool(char *buffer, const struct kernel_param *kp) static int param_set_aauint(const char *val, const struct kernel_param *kp) { - if (!policy_admin_capable()) + if (!policy_admin_capable(NULL)) return -EPERM; return param_set_uint(val, kp); } @@ -792,7 +792,7 @@ static int param_get_audit(char *buffer, struct kernel_param *kp) static int param_set_audit(const char *val, struct kernel_param *kp) { int i; - if (!policy_admin_capable()) + if (!policy_admin_capable(NULL)) return -EPERM; if (!apparmor_enabled) @@ -813,7 +813,7 @@ static int param_set_audit(const char *val, struct kernel_param *kp) static int param_get_mode(char *buffer, struct kernel_param *kp) { - if (!policy_admin_capable()) + if (!policy_view_capable(NULL)) return -EPERM; if (!apparmor_enabled) @@ -825,7 +825,7 @@ static int param_get_mode(char *buffer, struct kernel_param *kp) static int param_set_mode(const char *val, struct kernel_param *kp) { int i; - if (!policy_admin_capable()) + if (!policy_admin_capable(NULL)) return -EPERM; if (!apparmor_enabled) diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index f092c04c7c4e..ef64c25b2a45 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -637,9 +637,15 @@ bool policy_view_capable(struct aa_ns *ns) return response; } -bool policy_admin_capable(void) +bool policy_admin_capable(struct aa_ns *ns) { - return policy_view_capable(NULL) && !aa_g_lock_policy; + struct user_namespace *user_ns = current_user_ns(); + bool capable = ns_capable(user_ns, CAP_MAC_ADMIN); + + AA_DEBUG("cap_mac_admin? %d\n", capable); + AA_DEBUG("policy locked? %d\n", aa_g_lock_policy); + + return policy_view_capable(ns) && capable && !aa_g_lock_policy; } /** @@ -657,7 +663,7 @@ bool aa_may_manage_policy(int op) return 0; } - if (!policy_admin_capable()) { + if (!policy_admin_capable(NULL)) { audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL, "not policy admin", -EACCES); return 0; |