Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
apparmor: remove explicit restriction that unconfined cannot use change_hat
There does not need to be an explicit restriction that unconfined
can't use change_hat. Traditionally unconfined doesn't have hats
so change_hat could not be used. But newer unconfined profiles have
the potential of having hats, and even system unconfined will be
able to be replaced with a profile that allows for hats.
To remain backwards compitible with expected return codes, continue
to return -EPERM if the unconfined profile does not have any hats.
Signed-off-by: John Johansen <john.johansen@canonical.com>
+18
-3
+1
security/apparmor/apparmorfs.c
+1
security/apparmor/apparmorfs.c
···
2332
2332
static struct aa_sfs_entry aa_sfs_entry_domain[] = {
2333
2333
AA_SFS_FILE_BOOLEAN("change_hat", 1),
2334
2334
AA_SFS_FILE_BOOLEAN("change_hatv", 1),
2335
+
AA_SFS_FILE_BOOLEAN("unconfined_allowed_children", 1),
2335
2336
AA_SFS_FILE_BOOLEAN("change_onexec", 1),
2336
2337
AA_SFS_FILE_BOOLEAN("change_profile", 1),
2337
2338
AA_SFS_FILE_BOOLEAN("stack", 1),
+17
-3
security/apparmor/domain.c
+17
-3
security/apparmor/domain.c
···
1186
1186
if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)
1187
1187
ctx->nnp = aa_get_label(label);
1188
1188
1189
+
/* return -EPERM when unconfined doesn't have children to avoid
1190
+
* changing the traditional error code for unconfined.
1191
+
*/
1189
1192
if (unconfined(label)) {
1190
-
info = "unconfined can not change_hat";
1191
-
error = -EPERM;
1192
-
goto fail;
1193
+
struct label_it i;
1194
+
bool empty = true;
1195
+
1196
+
rcu_read_lock();
1197
+
label_for_each_in_ns(i, labels_ns(label), label, profile) {
1198
+
empty &= list_empty(&profile->base.profiles);
1199
+
}
1200
+
rcu_read_unlock();
1201
+
1202
+
if (empty) {
1203
+
info = "unconfined can not change_hat";
1204
+
error = -EPERM;
1205
+
goto fail;
1206
+
}
1193
1207
}
1194
1208
1195
1209
if (count) {