diff options
| author | John Johansen <john.johansen@canonical.com> | 2020-06-30 17:00:11 -0700 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2021-02-07 04:13:54 -0800 |
| commit | 92de220a7f336367127351da58cff691da5bb17b (patch) | |
| tree | d246001003718f842a473e2f57367eb69051be61 /security/apparmor/include | |
| parent | 5268d795d6888b202ad9f2b16a254cd00d0de77b (diff) | |
apparmor: update policy capable checks to use a label
Previously the policy capable checks assumed they were using the
current task. Make them take the task label so the query can be
made against an arbitrary task.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/include')
| -rw-r--r-- | security/apparmor/include/label.h | 1 | ||||
| -rw-r--r-- | security/apparmor/include/policy.h | 6 |
2 files changed, 5 insertions, 2 deletions
diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h index 255764ab06e2..f5b5485e20c9 100644 --- a/security/apparmor/include/label.h +++ b/security/apparmor/include/label.h @@ -148,6 +148,7 @@ do { \ #define __label_make_stale(X) ((X)->flags |= FLAG_STALE) #define labels_ns(X) (vec_ns(&((X)->vec[0]), (X)->size)) #define labels_set(X) (&labels_ns(X)->labels) +#define labels_view(X) labels_ns(X) #define labels_profile(X) ((X)->vec[(X)->size - 1]) diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index b5b4b8190e65..cb5ef21991b7 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -301,9 +301,11 @@ static inline int AUDIT_MODE(struct aa_profile *profile) return profile->audit; } -bool policy_view_capable(struct aa_ns *ns); -bool policy_admin_capable(struct aa_ns *ns); +bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns); +bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns); int aa_may_manage_policy(struct aa_label *label, struct aa_ns *ns, u32 mask); +bool aa_current_policy_view_capable(struct aa_ns *ns); +bool aa_current_policy_admin_capable(struct aa_ns *ns); #endif /* __AA_POLICY_H */ |