diff options
| author | John Johansen <john.johansen@canonical.com> | 2016-06-22 18:01:08 -0700 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2016-07-12 08:43:10 -0700 |
| commit | 58acf9d911c8831156634a44d0b022d683e1e50c (patch) | |
| tree | df76653f50579f989c36eab7139919523f50d561 /security/apparmor/policy.c | |
| parent | 5f20fdfed16bc599a325a145bf0123a8e1c9beea (diff) | |
| download | linux-58acf9d911c8831156634a44d0b022d683e1e50c.tar.bz2 | |
apparmor: fix module parameters can be changed after policy is locked
the policy_lock parameter is a one way switch that prevents policy
from being further modified. Unfortunately some of the module parameters
can effectively modify policy by turning off enforcement.
split policy_admin_capable into a view check and a full admin check,
and update the admin check to test the policy_lock parameter.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/policy.c')
| -rw-r--r-- | security/apparmor/policy.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index 780712553651..179e68d7dc5f 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -918,6 +918,22 @@ static int audit_policy(int op, gfp_t gfp, const char *name, const char *info, &sa, NULL); } +bool policy_view_capable(void) +{ + struct user_namespace *user_ns = current_user_ns(); + bool response = false; + + if (ns_capable(user_ns, CAP_MAC_ADMIN)) + response = true; + + return response; +} + +bool policy_admin_capable(void) +{ + return policy_view_capable() && !aa_g_lock_policy; +} + /** * aa_may_manage_policy - can the current task manage policy * @op: the policy manipulation operation being done @@ -932,7 +948,7 @@ bool aa_may_manage_policy(int op) return 0; } - if (!capable(CAP_MAC_ADMIN)) { + if (!policy_admin_capable()) { audit_policy(op, GFP_KERNEL, NULL, "not policy admin", -EACCES); return 0; } |