apparmor: switch to apparmor to internal capable check for policy management

With LSM stacking calling back into capable to check for MAC_ADMIN for apparmor policy results in asking the other stacked LSMs for MAC_ADMIN resulting in the other LSMs answering based on their policy management. For apparmor policy management we just need to call apparmor's capability fn directly. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-05-24 10:39:52 +00:00 · 2020-07-01 02:18:18 -07:00 · 2020-07-01 02:18:18 -07:00 · 31ec99e133
commit 31ec99e133
parent 92de220a7f
1 changed files with 17 additions and 1 deletions
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@ -631,6 +631,22 @@ static int audit_policy(struct aa_label *label, const char *op,
 	return error;
 }
 /* don't call out to other LSMs in the stack for apparmor policy admin
 * permissions
 */
 static int policy_ns_capable(struct aa_label *label,
 			     struct user_namespace *userns, int cap)
 {
 	int err;
 	/* check for MAC_ADMIN cap in cred */
 	err = cap_capable(current_cred(), userns, cap, CAP_OPT_NONE);
 	if (!err)
 		err = aa_capable(label, cap, CAP_OPT_NONE);
 	return err;
 }
 /**
 * aa_policy_view_capable - check if viewing policy in at @ns is allowed
 * label: label that is trying to view policy in ns
@ -662,7 +678,7 @@ bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns)
 bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns)
 {
 	struct user_namespace *user_ns = current_user_ns();
-	bool capable = ns_capable(user_ns, CAP_MAC_ADMIN);
+	bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN);
 	AA_DEBUG("cap_mac_admin? %d\n", capable);
 	AA_DEBUG("policy locked? %d\n", aa_g_lock_policy);