Commit 078c73c6 authored by John Johansen's avatar John Johansen

apparmor: add profile and ns params to aa_may_manage_policy()

Policy management will be expanded beyond traditional unconfined root.
This will require knowning the profile of the task doing the management
and the ns view.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent fd2a8043
...@@ -100,7 +100,7 @@ static char *aa_simple_write_to_buffer(int op, const char __user *userbuf, ...@@ -100,7 +100,7 @@ static char *aa_simple_write_to_buffer(int op, const char __user *userbuf,
* Don't allow profile load/replace/remove from profiles that don't * Don't allow profile load/replace/remove from profiles that don't
* have CAP_MAC_ADMIN * have CAP_MAC_ADMIN
*/ */
if (!aa_may_manage_policy(op)) if (!aa_may_manage_policy(__aa_current_profile(), NULL, op))
return ERR_PTR(-EACCES); return ERR_PTR(-EACCES);
/* freed by caller to simple_write_to_buffer */ /* freed by caller to simple_write_to_buffer */
......
...@@ -301,6 +301,6 @@ static inline int AUDIT_MODE(struct aa_profile *profile) ...@@ -301,6 +301,6 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
bool policy_view_capable(struct aa_ns *ns); bool policy_view_capable(struct aa_ns *ns);
bool policy_admin_capable(struct aa_ns *ns); bool policy_admin_capable(struct aa_ns *ns);
bool aa_may_manage_policy(int op); int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op);
#endif /* __AA_POLICY_H */ #endif /* __AA_POLICY_H */
...@@ -650,26 +650,24 @@ bool policy_admin_capable(struct aa_ns *ns) ...@@ -650,26 +650,24 @@ bool policy_admin_capable(struct aa_ns *ns)
/** /**
* aa_may_manage_policy - can the current task manage policy * aa_may_manage_policy - can the current task manage policy
* @profile: profile to check if it can manage policy
* @op: the policy manipulation operation being done * @op: the policy manipulation operation being done
* *
* Returns: true if the task is allowed to manipulate policy * Returns: 0 if the task is allowed to manipulate policy else error
*/ */
bool aa_may_manage_policy(int op) int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op)
{ {
/* check if loading policy is locked out */ /* check if loading policy is locked out */
if (aa_g_lock_policy) { if (aa_g_lock_policy)
audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL, return audit_policy(profile, op, GFP_KERNEL, NULL,
"policy_locked", -EACCES); "policy_locked", -EACCES);
return 0;
}
if (!policy_admin_capable(NULL)) { if (!policy_admin_capable(ns))
audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL, return audit_policy(profile, op, GFP_KERNEL, NULL,
"not policy admin", -EACCES); "not policy admin", -EACCES);
return 0;
}
return 1; /* TODO: add fine grained mediation of policy loads */
return 0;
} }
static struct aa_profile *__list_lookup_parent(struct list_head *lh, static struct aa_profile *__list_lookup_parent(struct list_head *lh,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment