From 078c73c63fb2878689da334f112507639c72c14f Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Mon, 16 Jan 2017 00:42:52 -0800
Subject: apparmor: add profile and ns params to aa_may_manage_policy()

Policy management will be expanded beyond traditional unconfined root.
This will require knowning the profile of the task doing the management
and the ns view.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/apparmorfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'security/apparmor/apparmorfs.c')

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 9fd7f73a4e86..cc6ee1ee2b42 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -100,7 +100,7 @@ static char *aa_simple_write_to_buffer(int op, const char __user *userbuf,
 	 * Don't allow profile load/replace/remove from profiles that don't
 	 * have CAP_MAC_ADMIN
 	 */
-	if (!aa_may_manage_policy(op))
+	if (!aa_may_manage_policy(__aa_current_profile(), NULL, op))
 		return ERR_PTR(-EACCES);
 
 	/* freed by caller to simple_write_to_buffer */
-- 
cgit v1.2.3