Merge tag 'v3.10.107' into update

[GitHub/mt8127/android_kernel_alcatel_ttab.git] / security / apparmor / policy.c

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 813200384d97cfc7f06a76e9b2f6286be7dfa7ab..c4780e108d7dbc7deb72f41eaf9c712d45189851 100644 (file)
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1002,6 +1002,22 @@ static int audit_policy(int op, gfp_t gfp, const char *name, const char *info,
                        &sa, NULL);
 }
 
+bool policy_view_capable(void)
+{
+       struct user_namespace *user_ns = current_user_ns();
+       bool response = false;
+
+       if (ns_capable(user_ns, CAP_MAC_ADMIN))
+               response = true;
+
+       return response;
+}
+
+bool policy_admin_capable(void)
+{
+       return policy_view_capable() && !aa_g_lock_policy;
+}
+
 /**
  * aa_may_manage_policy - can the current task manage policy
  * @op: the policy manipulation operation being done
@@ -1016,7 +1032,7 @@ bool aa_may_manage_policy(int op)
                return 0;
        }
 
-       if (!capable(CAP_MAC_ADMIN)) {
+       if (!policy_admin_capable()) {
                audit_policy(op, GFP_KERNEL, NULL, "not policy admin", -EACCES);
                return 0;
        }