apparmor: add profile and ns params to aa_may_manage_policy()

author John Johansen <john.johansen@canonical.com>

Mon, 16 Jan 2017 08:42:52 +0000 (00:42 -0800)

committer John Johansen <john.johansen@canonical.com>

Mon, 16 Jan 2017 09:18:40 +0000 (01:18 -0800)
author John Johansen <john.johansen@canonical.com>
Mon, 16 Jan 2017 08:42:52 +0000 (00:42 -0800)
committer John Johansen <john.johansen@canonical.com>
Mon, 16 Jan 2017 09:18:40 +0000 (01:18 -0800)
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c

index 9fd7f73a4e86f92d5b5558b11cfe1f4b6400862a..cc6ee1ee2b42b582f13ef0b5ed962aae7728bb2a 100644 (file)
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -100,7 +100,7 @@ static char *aa_simple_write_to_buffer(int op, const char __user *userbuf,
          * Don't allow profile load/replace/remove from profiles that don't
          * have CAP_MAC_ADMIN
          */
-       if (!aa_may_manage_policy(op))
+       if (!aa_may_manage_policy(__aa_current_profile(), NULL, op))
                 return ERR_PTR(-EACCES);
  
         /* freed by caller to simple_write_to_buffer */
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h

index 27f9171fa31ffd9ed3a0f32f8bff1f60b1e55188..95641e235d47c88885f17a778e4ba5bdf9d8f96e 100644 (file)
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -301,6 +301,6 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
  
  bool policy_view_capable(struct aa_ns *ns);
  bool policy_admin_capable(struct aa_ns *ns);
-bool aa_may_manage_policy(int op);
+int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op);
  
  #endif /* __AA_POLICY_H */
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c

index ef64c25b2a4568381bcc47327bf2addcfcbe0639..27d93aa58016da53c9a3681ebc028a2c78e73433 100644 (file)
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -650,26 +650,24 @@ bool policy_admin_capable(struct aa_ns *ns)
  
  /**
   * aa_may_manage_policy - can the current task manage policy
+ * @profile: profile to check if it can manage policy
   * @op: the policy manipulation operation being done
   *
- * Returns: true if the task is allowed to manipulate policy
+ * Returns: 0 if the task is allowed to manipulate policy else error
   */
-bool aa_may_manage_policy(int op)
+int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op)
  {
         /* check if loading policy is locked out */
-       if (aa_g_lock_policy) {
-               audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
+       if (aa_g_lock_policy)
+               return audit_policy(profile, op, GFP_KERNEL, NULL,
                              "policy_locked", -EACCES);
-               return 0;
-       }
  
-       if (!policy_admin_capable(NULL)) {
-               audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
-                            "not policy admin", -EACCES);
-               return 0;
-       }
+       if (!policy_admin_capable(ns))
+               return audit_policy(profile, op, GFP_KERNEL, NULL,
+                                   "not policy admin", -EACCES);
  
-       return 1;
+       /* TODO: add fine grained mediation of policy loads */
+       return 0;
  }
  
  static struct aa_profile *__list_lookup_parent(struct list_head *lh,
author	John Johansen <john.johansen@canonical.com>
	Mon, 16 Jan 2017 08:42:52 +0000 (00:42 -0800)
committer	John Johansen <john.johansen@canonical.com>
	Mon, 16 Jan 2017 09:18:40 +0000 (01:18 -0800)
security/apparmor/apparmorfs.c		patch \| blob \| blame \| history
security/apparmor/include/policy.h		patch \| blob \| blame \| history
security/apparmor/policy.c		patch \| blob \| blame \| history