diff options
author | John Johansen <john.johansen@canonical.com> | 2017-01-16 11:42:50 +0300 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2017-01-16 12:18:39 +0300 |
commit | 2bd8dbbf22fe9eb2a99273436f815d49ceb23a8f (patch) | |
tree | 17cdd607014ece52ccafbbc472750b3d25a9f566 /security/apparmor/include/policy.h | |
parent | a6f233003b1af70132619bca386dfae1862a45e8 (diff) | |
download | linux-2bd8dbbf22fe9eb2a99273436f815d49ceb23a8f.tar.xz |
apparmor: add ns being viewed as a param to policy_view_capable()
Prepare for a tighter pairing of user namespaces and apparmor policy
namespaces, by making the ns to be viewed available and checking
that the user namespace level is the same as the policy ns level.
This strict pairing will be relaxed once true support of user namespaces
lands.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/include/policy.h')
-rw-r--r-- | security/apparmor/include/policy.h | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index 8fcfb3c78d21..b0b65c525bcc 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -33,6 +33,8 @@ struct aa_ns; +extern int unprivileged_userns_apparmor_policy; + extern const char *const aa_profile_mode_names[]; #define APPARMOR_MODE_NAMES_MAX_INDEX 4 @@ -297,7 +299,7 @@ static inline int AUDIT_MODE(struct aa_profile *profile) return profile->audit; } -bool policy_view_capable(void); +bool policy_view_capable(struct aa_ns *ns); bool policy_admin_capable(void); bool aa_may_manage_policy(int op); |