diff options
| author | John Johansen <john.johansen@canonical.com> | 2023-08-09 00:26:36 -0700 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2023-10-18 15:48:44 -0700 |
| commit | 2d9da9b188b8cd3b579d7ef5ba5d334be9dd38fc (patch) | |
| tree | 3ddeaaf865425ba25becb5d22aa6173a59894298 /security/apparmor/lsm.c | |
| parent | e105d8079f82819f4773c4853dc199e195fedf40 (diff) | |
| download | lwn-2d9da9b188b8cd3b579d7ef5ba5d334be9dd38fc.tar.gz lwn-2d9da9b188b8cd3b579d7ef5ba5d334be9dd38fc.zip | |
apparmor: allow restricting unprivileged change_profile
unprivileged unconfined can use change_profile to alter the confinement
set by the mac admin.
Allow restricting unprivileged unconfined by still allowing change_profile
but stacking the change against unconfined. This allows unconfined to
still apply system policy but allows the task to enter the new confinement.
If unprivileged unconfined is required a sysctl is provided to switch
to the previous behavior.
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/lsm.c')
| -rw-r--r-- | security/apparmor/lsm.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index bcfe8b9cb4c1..518576ae3cfb 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1798,6 +1798,13 @@ static struct ctl_table apparmor_sysctl_table[] = { .mode = 0600, .proc_handler = apparmor_dointvec, }, + { + .procname = "apparmor_restrict_unprivileged_unconfined", + .data = &aa_unprivileged_unconfined_restricted, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = apparmor_dointvec, + }, { } }; |