summaryrefslogtreecommitdiff
path: root/security/apparmor/include/policy.h
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-01-16 11:42:50 +0300
committerJohn Johansen <john.johansen@canonical.com>2017-01-16 12:18:39 +0300
commit2bd8dbbf22fe9eb2a99273436f815d49ceb23a8f (patch)
tree17cdd607014ece52ccafbbc472750b3d25a9f566 /security/apparmor/include/policy.h
parenta6f233003b1af70132619bca386dfae1862a45e8 (diff)
downloadlinux-2bd8dbbf22fe9eb2a99273436f815d49ceb23a8f.tar.xz
apparmor: add ns being viewed as a param to policy_view_capable()
Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available and checking that the user namespace level is the same as the policy ns level. This strict pairing will be relaxed once true support of user namespaces lands. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/include/policy.h')
-rw-r--r--security/apparmor/include/policy.h4
1 files changed, 3 insertions, 1 deletions
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 8fcfb3c78d21..b0b65c525bcc 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -33,6 +33,8 @@
struct aa_ns;
+extern int unprivileged_userns_apparmor_policy;
+
extern const char *const aa_profile_mode_names[];
#define APPARMOR_MODE_NAMES_MAX_INDEX 4
@@ -297,7 +299,7 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
return profile->audit;
}
-bool policy_view_capable(void);
+bool policy_view_capable(struct aa_ns *ns);
bool policy_admin_capable(void);
bool aa_may_manage_policy(int op);