diff options
author | John Johansen <john.johansen@canonical.com> | 2017-01-16 00:42:50 -0800 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2017-01-16 01:18:39 -0800 |
commit | 2bd8dbbf22fe9eb2a99273436f815d49ceb23a8f (patch) | |
tree | 17cdd607014ece52ccafbbc472750b3d25a9f566 /security/apparmor/lsm.c | |
parent | a6f233003b1af70132619bca386dfae1862a45e8 (diff) | |
download | lwn-2bd8dbbf22fe9eb2a99273436f815d49ceb23a8f.tar.gz lwn-2bd8dbbf22fe9eb2a99273436f815d49ceb23a8f.zip |
apparmor: add ns being viewed as a param to policy_view_capable()
Prepare for a tighter pairing of user namespaces and apparmor policy
namespaces, by making the ns to be viewed available and checking
that the user namespace level is the same as the policy ns level.
This strict pairing will be relaxed once true support of user namespaces
lands.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/lsm.c')
-rw-r--r-- | security/apparmor/lsm.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index f852cd626f2e..f83ba33651a0 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -745,7 +745,7 @@ static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) { - if (!policy_view_capable()) + if (!policy_view_capable(NULL)) return -EPERM; return param_get_bool(buffer, kp); } @@ -759,7 +759,7 @@ static int param_set_aabool(const char *val, const struct kernel_param *kp) static int param_get_aabool(char *buffer, const struct kernel_param *kp) { - if (!policy_view_capable()) + if (!policy_view_capable(NULL)) return -EPERM; return param_get_bool(buffer, kp); } @@ -773,14 +773,14 @@ static int param_set_aauint(const char *val, const struct kernel_param *kp) static int param_get_aauint(char *buffer, const struct kernel_param *kp) { - if (!policy_view_capable()) + if (!policy_view_capable(NULL)) return -EPERM; return param_get_uint(buffer, kp); } static int param_get_audit(char *buffer, struct kernel_param *kp) { - if (!policy_view_capable()) + if (!policy_view_capable(NULL)) return -EPERM; if (!apparmor_enabled) |