tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
apparmor: switch to apparmor to internal capable check for policy management
With LSM stacking calling back into capable to check for MAC_ADMIN
for apparmor policy results in asking the other stacked LSMs for
MAC_ADMIN resulting in the other LSMs answering based on their
policy management.
For apparmor policy management we just need to call apparmor's
capability fn directly.
Signed-off-by: John Johansen <john.johansen@canonical.com>
+17
-1
+17
-1
security/apparmor/policy.c
+17
-1
security/apparmor/policy.c
···
631
631
return error;
632
632
}
633
633
634
+
/* don't call out to other LSMs in the stack for apparmor policy admin
635
+
* permissions
636
+
*/
637
+
static int policy_ns_capable(struct aa_label *label,
638
+
struct user_namespace *userns, int cap)
639
+
{
640
+
int err;
641
+
642
+
/* check for MAC_ADMIN cap in cred */
643
+
err = cap_capable(current_cred(), userns, cap, CAP_OPT_NONE);
644
+
if (!err)
645
+
err = aa_capable(label, cap, CAP_OPT_NONE);
646
+
647
+
return err;
648
+
}
649
+
634
650
/**
635
651
* aa_policy_view_capable - check if viewing policy in at @ns is allowed
636
652
* label: label that is trying to view policy in ns
···
678
662
bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns)
679
663
{
680
664
struct user_namespace *user_ns = current_user_ns();
681
-
bool capable = ns_capable(user_ns, CAP_MAC_ADMIN);
665
+
bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN);
682
666
683
667
AA_DEBUG("cap_mac_admin? %d\n", capable);
684
668
AA_DEBUG("policy locked? %d\n", aa_g_lock_policy);