apparmor: add ns being viewed as a param to policy_admin_capable()

Prepare for a tighter pairing of user namespaces and apparmor policy
namespaces, by making the ns to be viewed available.

Signed-off-by: John Johansen <john.johansen@canonical.com>

3 files changed, 16 insertions, 10 deletions

diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index b0b65c525bcc..27f9171fa31f 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -300,7 +300,7 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
 }
 
 bool policy_view_capable(struct aa_ns *ns);
-bool policy_admin_capable(void);
+bool policy_admin_capable(struct aa_ns *ns);
 bool aa_may_manage_policy(int op);
 
 #endif /* __AA_POLICY_H */
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index f83ba33651a0..09f1c407c4d8 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -738,7 +738,7 @@ __setup("apparmor=", apparmor_enabled_setup);
 /* set global flag turning off the ability to load policy */
 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
 {
-	if (!policy_admin_capable())
+	if (!policy_admin_capable(NULL))
 		return -EPERM;
 	return param_set_bool(val, kp);
 }
@@ -752,7 +752,7 @@ static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
 
 static int param_set_aabool(const char *val, const struct kernel_param *kp)
 {
-	if (!policy_admin_capable())
+	if (!policy_admin_capable(NULL))
 		return -EPERM;
 	return param_set_bool(val, kp);
 }
@@ -766,7 +766,7 @@ static int param_get_aabool(char *buffer, const struct kernel_param *kp)
 
 static int param_set_aauint(const char *val, const struct kernel_param *kp)
 {
-	if (!policy_admin_capable())
+	if (!policy_admin_capable(NULL))
 		return -EPERM;
 	return param_set_uint(val, kp);
 }
@@ -792,7 +792,7 @@ static int param_get_audit(char *buffer, struct kernel_param *kp)
 static int param_set_audit(const char *val, struct kernel_param *kp)
 {
 	int i;
-	if (!policy_admin_capable())
+	if (!policy_admin_capable(NULL))
 		return -EPERM;
 
 	if (!apparmor_enabled)
@@ -813,7 +813,7 @@ static int param_set_audit(const char *val, struct kernel_param *kp)
 
 static int param_get_mode(char *buffer, struct kernel_param *kp)
 {
-	if (!policy_admin_capable())
+	if (!policy_view_capable(NULL))
 		return -EPERM;
 
 	if (!apparmor_enabled)
@@ -825,7 +825,7 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)
 static int param_set_mode(const char *val, struct kernel_param *kp)
 {
 	int i;
-	if (!policy_admin_capable())
+	if (!policy_admin_capable(NULL))
 		return -EPERM;
 
 	if (!apparmor_enabled)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index f092c04c7c4e..ef64c25b2a45 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -637,9 +637,15 @@ bool policy_view_capable(struct aa_ns *ns)
 	return response;
 }
 
-bool policy_admin_capable(void)
+bool policy_admin_capable(struct aa_ns *ns)
 {
-	return policy_view_capable(NULL) && !aa_g_lock_policy;
+	struct user_namespace *user_ns = current_user_ns();
+	bool capable = ns_capable(user_ns, CAP_MAC_ADMIN);
+
+	AA_DEBUG("cap_mac_admin? %d\n", capable);
+	AA_DEBUG("policy locked? %d\n", aa_g_lock_policy);
+
+	return policy_view_capable(ns) && capable && !aa_g_lock_policy;
 }
 
 /**
@@ -657,7 +663,7 @@ bool aa_may_manage_policy(int op)
 		return 0;
 	}
 
-	if (!policy_admin_capable()) {
+	if (!policy_admin_capable(NULL)) {
 		audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
 			     "not policy admin", -EACCES);
 		return 0;