2
security/apparmor/apparmor.h | 10 ++++++++++
3
security/apparmor/apparmorfs.c | 4 ++--
4
security/apparmor/lsm.c | 15 ++++++---------
5
security/apparmor/module_interface.c | 2 ++
6
4 files changed, 20 insertions(+), 11 deletions(-)
8
--- a/security/apparmor/apparmor.h
9
+++ b/security/apparmor/apparmor.h
10
@@ -158,8 +158,17 @@ struct aa_namespace {
11
* @file_rules: dfa containing the profiles file rules
12
* @flags: flags controlling profile behavior
13
* @isstale: flag indicating if profile is stale
14
+ * @set_caps: capabilities that are being set
15
+ * @capabilities: capabilities mask
16
+ * @audit_caps: caps that are to be audited
17
+ * @quiet_caps: caps that should not be audited
18
* @capabilities: capabilities granted by the process
19
* @count: reference count of the profile
20
+ * @task_contexts: list of tasks confined by profile
21
+ * @lock: lock for the task_contexts list
22
+ * @network_families: basic network permissions
23
+ * @audit_network: which network permissions to force audit
24
+ * @quiet_network: which network permissions to quiet rejects
26
* The AppArmor profile contains the basic confinement data. Each profile
27
* has a name, and all nonstale profile are in a profile namespace.
28
@@ -183,6 +192,7 @@ struct aa_profile {
32
+ kernel_cap_t set_caps;
33
kernel_cap_t capabilities;
34
kernel_cap_t audit_caps;
35
kernel_cap_t quiet_caps;
36
--- a/security/apparmor/apparmorfs.c
37
+++ b/security/apparmor/apparmorfs.c
38
@@ -103,8 +103,8 @@ static struct file_operations apparmorfs
39
static ssize_t aa_features_read(struct file *file, char __user *buf,
40
size_t size, loff_t *ppos)
42
- const char *features = "file=3.0 capability=1.0 network=1.0 "
43
- "change_hat=1.3 change_profile=1.0 "
44
+ const char *features = "file=3.0 capability=2.0 network=1.0 "
45
+ "change_hat=1.4 change_profile=1.0 "
48
return simple_read_from_buffer(buf, size, ppos, features,
49
--- a/security/apparmor/lsm.c
50
+++ b/security/apparmor/lsm.c
51
@@ -210,19 +210,16 @@ static int apparmor_ptrace(struct task_s
52
static int apparmor_capable(struct task_struct *task, int cap)
55
+ struct aa_task_context *cxt;
57
/* cap_capable returns 0 on success, else -EPERM */
58
error = cap_capable(task, cap);
61
- struct aa_task_context *cxt;
64
- cxt = aa_task_context(task);
66
- error = aa_capability(cxt, cap);
70
+ cxt = aa_task_context(task);
71
+ if (cxt && (!error || cap_raised(cxt->profile->set_caps, cap)))
72
+ error = aa_capability(cxt, cap);
77
--- a/security/apparmor/module_interface.c
78
+++ b/security/apparmor/module_interface.c
79
@@ -316,6 +316,8 @@ static struct aa_profile *aa_unpack_prof
81
if (!aa_is_u32(e, &(profile->quiet_caps), NULL))
83
+ if (!aa_is_u32(e, &(profile->set_caps), NULL))
86
size = aa_is_array(e, "net_allowed_af");