#include <linux/capability.h>
#include <linux/errno.h>
#include <linux/gfp.h>
+#include <linux/security.h>
#include "include/apparmor.h"
#include "include/capability.h"
* audit_caps - audit a capability
* @profile: profile being tested for confinement (NOT NULL)
* @cap: capability tested
+ @audit: whether an audit record should be generated
* @error: error code returned by test
*
* Do auditing of capability and handle, audit/complain/kill modes switching
*
* Returns: 0 or sa->error on success, error code on failure
*/
-static int audit_caps(struct aa_profile *profile, int cap, int error)
+static int audit_caps(struct aa_profile *profile, int cap, int audit,
+ int error)
{
struct audit_cache *ent;
int type = AUDIT_APPARMOR_AUTO;
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, OP_CAPABLE);
sa.u.cap = cap;
aad(&sa)->error = error;
+ if (audit == SECURITY_CAP_NOAUDIT)
+ aad(&sa)->info = "optional: no audit";
if (likely(!error)) {
/* test if auditing is being forced */
{
int error = profile_capable(profile, cap);
- if (!audit) {
- if (COMPLAIN_MODE(profile))
- return complain_error(error);
- return error;
+ if (audit == SECURITY_CAP_NOAUDIT) {
+ if (!COMPLAIN_MODE(profile))
+ return error;
}
- return audit_caps(profile, cap, error);
+ return audit_caps(profile, cap, audit, error);
}
projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commitdiff