diff options
author | John Johansen <john.johansen@canonical.com> | 2020-07-01 02:18:18 -0700 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2021-02-07 04:14:57 -0800 |
commit | 31ec99e13346c22a7c8ca18e044684a870063cef (patch) | |
tree | b5e94a01244c0f7610363e9b4548b9e981adc735 /security/apparmor/policy.c | |
parent | 92de220a7f336367127351da58cff691da5bb17b (diff) | |
download | lwn-31ec99e13346c22a7c8ca18e044684a870063cef.tar.gz lwn-31ec99e13346c22a7c8ca18e044684a870063cef.zip |
apparmor: switch to apparmor to internal capable check for policy management
With LSM stacking calling back into capable to check for MAC_ADMIN
for apparmor policy results in asking the other stacked LSMs for
MAC_ADMIN resulting in the other LSMs answering based on their
policy management.
For apparmor policy management we just need to call apparmor's
capability fn directly.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/policy.c')
-rw-r--r-- | security/apparmor/policy.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index e680121e013e..9ce93966401a 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -631,6 +631,22 @@ static int audit_policy(struct aa_label *label, const char *op, return error; } +/* don't call out to other LSMs in the stack for apparmor policy admin + * permissions + */ +static int policy_ns_capable(struct aa_label *label, + struct user_namespace *userns, int cap) +{ + int err; + + /* check for MAC_ADMIN cap in cred */ + err = cap_capable(current_cred(), userns, cap, CAP_OPT_NONE); + if (!err) + err = aa_capable(label, cap, CAP_OPT_NONE); + + return err; +} + /** * aa_policy_view_capable - check if viewing policy in at @ns is allowed * label: label that is trying to view policy in ns @@ -662,7 +678,7 @@ bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns) bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns) { struct user_namespace *user_ns = current_user_ns(); - bool capable = ns_capable(user_ns, CAP_MAC_ADMIN); + bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN); AA_DEBUG("cap_mac_admin? %d\n", capable); AA_DEBUG("policy locked? %d\n", aa_g_lock_policy); |