Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 078c73c6 authored by John Johansen's avatar John Johansen
Browse files

apparmor: add profile and ns params to aa_may_manage_policy()



Policy management will be expanded beyond traditional unconfined root.
This will require knowning the profile of the task doing the management
and the ns view.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent fd2a8043
Loading
Loading
Loading
Loading
+1 −1
Original line number Diff line number Diff line
@@ -100,7 +100,7 @@ static char *aa_simple_write_to_buffer(int op, const char __user *userbuf,
	 * Don't allow profile load/replace/remove from profiles that don't
	 * have CAP_MAC_ADMIN
	 */
	if (!aa_may_manage_policy(op))
	if (!aa_may_manage_policy(__aa_current_profile(), NULL, op))
		return ERR_PTR(-EACCES);

	/* freed by caller to simple_write_to_buffer */
+1 −1
Original line number Diff line number Diff line
@@ -301,6 +301,6 @@ static inline int AUDIT_MODE(struct aa_profile *profile)

bool policy_view_capable(struct aa_ns *ns);
bool policy_admin_capable(struct aa_ns *ns);
bool aa_may_manage_policy(int op);
int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op);

#endif /* __AA_POLICY_H */
+10 −12
Original line number Diff line number Diff line
@@ -650,26 +650,24 @@ bool policy_admin_capable(struct aa_ns *ns)

/**
 * aa_may_manage_policy - can the current task manage policy
 * @profile: profile to check if it can manage policy
 * @op: the policy manipulation operation being done
 *
 * Returns: true if the task is allowed to manipulate policy
 * Returns: 0 if the task is allowed to manipulate policy else error
 */
bool aa_may_manage_policy(int op)
int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op)
{
	/* check if loading policy is locked out */
	if (aa_g_lock_policy) {
		audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
	if (aa_g_lock_policy)
		return audit_policy(profile, op, GFP_KERNEL, NULL,
			     "policy_locked", -EACCES);
		return 0;
	}

	if (!policy_admin_capable(NULL)) {
		audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
	if (!policy_admin_capable(ns))
		return audit_policy(profile, op, GFP_KERNEL, NULL,
				    "not policy admin", -EACCES);
		return 0;
	}

	return 1;
	/* TODO: add fine grained mediation of policy loads */
	return 0;
}

static struct aa_profile *__list_lookup_parent(struct list_head *lh,