apparmor: add profile and ns params to aa_may_manage_policy()
Policy management will be expanded beyond traditional unconfined root. This will require knowning the profile of the task doing the management and the ns view. Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
parent
fd2a80438d
commit
078c73c63f
@ -100,7 +100,7 @@ static char *aa_simple_write_to_buffer(int op, const char __user *userbuf,
|
|||||||
* Don't allow profile load/replace/remove from profiles that don't
|
* Don't allow profile load/replace/remove from profiles that don't
|
||||||
* have CAP_MAC_ADMIN
|
* have CAP_MAC_ADMIN
|
||||||
*/
|
*/
|
||||||
if (!aa_may_manage_policy(op))
|
if (!aa_may_manage_policy(__aa_current_profile(), NULL, op))
|
||||||
return ERR_PTR(-EACCES);
|
return ERR_PTR(-EACCES);
|
||||||
|
|
||||||
/* freed by caller to simple_write_to_buffer */
|
/* freed by caller to simple_write_to_buffer */
|
||||||
|
@ -301,6 +301,6 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
|
|||||||
|
|
||||||
bool policy_view_capable(struct aa_ns *ns);
|
bool policy_view_capable(struct aa_ns *ns);
|
||||||
bool policy_admin_capable(struct aa_ns *ns);
|
bool policy_admin_capable(struct aa_ns *ns);
|
||||||
bool aa_may_manage_policy(int op);
|
int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op);
|
||||||
|
|
||||||
#endif /* __AA_POLICY_H */
|
#endif /* __AA_POLICY_H */
|
||||||
|
@ -650,26 +650,24 @@ bool policy_admin_capable(struct aa_ns *ns)
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* aa_may_manage_policy - can the current task manage policy
|
* aa_may_manage_policy - can the current task manage policy
|
||||||
|
* @profile: profile to check if it can manage policy
|
||||||
* @op: the policy manipulation operation being done
|
* @op: the policy manipulation operation being done
|
||||||
*
|
*
|
||||||
* Returns: true if the task is allowed to manipulate policy
|
* Returns: 0 if the task is allowed to manipulate policy else error
|
||||||
*/
|
*/
|
||||||
bool aa_may_manage_policy(int op)
|
int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op)
|
||||||
{
|
{
|
||||||
/* check if loading policy is locked out */
|
/* check if loading policy is locked out */
|
||||||
if (aa_g_lock_policy) {
|
if (aa_g_lock_policy)
|
||||||
audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
|
return audit_policy(profile, op, GFP_KERNEL, NULL,
|
||||||
"policy_locked", -EACCES);
|
"policy_locked", -EACCES);
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!policy_admin_capable(NULL)) {
|
if (!policy_admin_capable(ns))
|
||||||
audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
|
return audit_policy(profile, op, GFP_KERNEL, NULL,
|
||||||
"not policy admin", -EACCES);
|
"not policy admin", -EACCES);
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
return 1;
|
/* TODO: add fine grained mediation of policy loads */
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct aa_profile *__list_lookup_parent(struct list_head *lh,
|
static struct aa_profile *__list_lookup_parent(struct list_head *lh,
|
||||||
|
Loading…
Reference in New Issue
Block a user