apparmor: add ns being viewed as a param to policy_view_capable()

Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available and checking that the user namespace level is the same as the policy ns level. This strict pairing will be relaxed once true support of user namespaces lands. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16 00:42:50 -08:00
parent a6f233003b
commit 2bd8dbbf22
4 changed files with 35 additions and 8 deletions
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -20,6 +20,7 @@
 #include <linux/sched.h>

 #include "policy.h"
+#include "policy_ns.h"

 #define cred_cxt(X) (X)->security
 #define current_cxt() cred_cxt(current_cred())
@@ -162,6 +163,11 @@ static inline struct aa_profile *aa_current_profile(void)
 	return cxt->profile;
 }

+static inline struct aa_ns *aa_get_current_ns(void)
+{
+	return aa_get_ns(__aa_current_profile()->ns);
+}
+
 /**
 * aa_clear_task_cxt_trans - clear transition tracking info from the cxt
 * @cxt: task context to clear (NOT NULL)
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -33,6 +33,8 @@

 struct aa_ns;

+extern int unprivileged_userns_apparmor_policy;
+
 extern const char *const aa_profile_mode_names[];
 #define APPARMOR_MODE_NAMES_MAX_INDEX 4

@@ -297,7 +299,7 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
 	return profile->audit;
 }

-bool policy_view_capable(void);
+bool policy_view_capable(struct aa_ns *ns);
 bool policy_admin_capable(void);
 bool aa_may_manage_policy(int op);