summaryrefslogtreecommitdiffstats
path: root/security/apparmor
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2020-07-01 02:18:18 -0700
committerJohn Johansen <john.johansen@canonical.com>2021-02-07 04:14:57 -0800
commit31ec99e13346c22a7c8ca18e044684a870063cef (patch)
treeb5e94a01244c0f7610363e9b4548b9e981adc735 /security/apparmor
parent92de220a7f336367127351da58cff691da5bb17b (diff)
downloadlinux-31ec99e13346c22a7c8ca18e044684a870063cef.tar.bz2
apparmor: switch to apparmor to internal capable check for policy management
With LSM stacking calling back into capable to check for MAC_ADMIN for apparmor policy results in asking the other stacked LSMs for MAC_ADMIN resulting in the other LSMs answering based on their policy management. For apparmor policy management we just need to call apparmor's capability fn directly. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor')
-rw-r--r--security/apparmor/policy.c18
1 files changed, 17 insertions, 1 deletions
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index e680121e013e..9ce93966401a 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -631,6 +631,22 @@ static int audit_policy(struct aa_label *label, const char *op,
return error;
}
+/* don't call out to other LSMs in the stack for apparmor policy admin
+ * permissions
+ */
+static int policy_ns_capable(struct aa_label *label,
+ struct user_namespace *userns, int cap)
+{
+ int err;
+
+ /* check for MAC_ADMIN cap in cred */
+ err = cap_capable(current_cred(), userns, cap, CAP_OPT_NONE);
+ if (!err)
+ err = aa_capable(label, cap, CAP_OPT_NONE);
+
+ return err;
+}
+
/**
* aa_policy_view_capable - check if viewing policy in at @ns is allowed
* label: label that is trying to view policy in ns
@@ -662,7 +678,7 @@ bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns)
bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns)
{
struct user_namespace *user_ns = current_user_ns();
- bool capable = ns_capable(user_ns, CAP_MAC_ADMIN);
+ bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN);
AA_DEBUG("cap_mac_admin? %d\n", capable);
AA_DEBUG("policy locked? %d\n", aa_g_lock_policy);