apparmor: fix nnp subset test for unconfined

The subset test is not taking into account the unconfined exception which will cause profile transitions in the stacked confinement case to fail when no_new_privs is applied. This fixes a regression introduced in the fix for https://bugs.launchpad.net/bugs/1839037 BugLink: https://bugs.launchpad.net/bugs/1844186 Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2019-09-25 08:02:48 -0700
committer: John Johansen <john.johansen@canonical.com> 2020-01-21 05:58:04 -0800
commit: 3ed4aaa94fc07db3cd0c91be95e3e1b9782a2710 (patch)
tree: cfc3ea35aca20cc8527aed39583083a6ed414ad2 /security/apparmor/include
parent: a68d59ff4d67ec182926aaa82daaa66b3d465c9a (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h
index 47942c4ba7ca..255764ab06e2 100644
--- a/security/apparmor/include/label.h
+++ b/security/apparmor/include/label.h
@@ -281,6 +281,7 @@ bool aa_label_init(struct aa_label *label, int size, gfp_t gfp);
 struct aa_label *aa_label_alloc(int size, struct aa_proxy *proxy, gfp_t gfp);
 
 bool aa_label_is_subset(struct aa_label *set, struct aa_label *sub);
+bool aa_label_is_unconfined_subset(struct aa_label *set, struct aa_label *sub);
 struct aa_profile *__aa_label_next_not_in_set(struct label_it *I,
 					     struct aa_label *set,
 					     struct aa_label *sub);
author	John Johansen <john.johansen@canonical.com>	2019-09-25 08:02:48 -0700
committer	John Johansen <john.johansen@canonical.com>	2020-01-21 05:58:04 -0800
commit	3ed4aaa94fc07db3cd0c91be95e3e1b9782a2710 (patch)
tree	cfc3ea35aca20cc8527aed39583083a6ed414ad2 /security/apparmor/include
parent	a68d59ff4d67ec182926aaa82daaa66b3d465c9a (diff)