apparmor: add profile and ns params to aa_may_manage_policy()

	 * Don't allow profile load/replace/remove from profiles that don't

	 * have CAP_MAC_ADMIN

	 */

	if (!aa_may_manage_policy(op))

	if (!aa_may_manage_policy(__aa_current_profile(), NULL, op))

		return ERR_PTR(-EACCES);

	/* freed by caller to simple_write_to_buffer */

bool policy_view_capable(struct aa_ns *ns);

bool policy_admin_capable(struct aa_ns *ns);

bool aa_may_manage_policy(int op);

int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op);

#endif /* __AA_POLICY_H */

/**

 * aa_may_manage_policy - can the current task manage policy

 * @profile: profile to check if it can manage policy

 * @op: the policy manipulation operation being done

 *

 * Returns: true if the task is allowed to manipulate policy

 * Returns: 0 if the task is allowed to manipulate policy else error

 */

bool aa_may_manage_policy(int op)

int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op)

{

	/* check if loading policy is locked out */

	if (aa_g_lock_policy) {

		audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,

	if (aa_g_lock_policy)

		return audit_policy(profile, op, GFP_KERNEL, NULL,

			     "policy_locked", -EACCES);

		return 0;

	}

	if (!policy_admin_capable(NULL)) {

		audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,

	if (!policy_admin_capable(ns))

		return audit_policy(profile, op, GFP_KERNEL, NULL,

				    "not policy admin", -EACCES);

		return 0;

	}

	return 1;

	/* TODO: add fine grained mediation of policy loads */

	return 0;

}

static struct aa_profile *__list_lookup_parent(struct list_head *lh,