diff options
Diffstat (limited to 'security/apparmor/capability.c')
| -rw-r--r-- | security/apparmor/capability.c | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c index 1101c6f64bb7..ed0a3e6b8022 100644 --- a/security/apparmor/capability.c +++ b/security/apparmor/capability.c @@ -15,6 +15,7 @@ #include <linux/capability.h> #include <linux/errno.h> #include <linux/gfp.h> +#include <linux/security.h> #include "include/apparmor.h" #include "include/capability.h" @@ -55,6 +56,7 @@ static void audit_cb(struct audit_buffer *ab, void *va) * audit_caps - audit a capability * @profile: profile being tested for confinement (NOT NULL) * @cap: capability tested + @audit: whether an audit record should be generated * @error: error code returned by test * * Do auditing of capability and handle, audit/complain/kill modes switching @@ -62,17 +64,16 @@ static void audit_cb(struct audit_buffer *ab, void *va) * * Returns: 0 or sa->error on success, error code on failure */ -static int audit_caps(struct aa_profile *profile, int cap, int error) +static int audit_caps(struct aa_profile *profile, int cap, int audit, + int error) { struct audit_cache *ent; int type = AUDIT_APPARMOR_AUTO; - struct common_audit_data sa; - struct apparmor_audit_data aad = {0,}; - sa.type = LSM_AUDIT_DATA_CAP; - sa.aad = &aad; + DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, OP_CAPABLE); sa.u.cap = cap; - sa.aad->op = OP_CAPABLE; - sa.aad->error = error; + aad(&sa)->error = error; + if (audit == SECURITY_CAP_NOAUDIT) + aad(&sa)->info = "optional: no audit"; if (likely(!error)) { /* test if auditing is being forced */ @@ -104,7 +105,7 @@ static int audit_caps(struct aa_profile *profile, int cap, int error) } put_cpu_var(audit_cache); - return aa_audit(type, profile, GFP_ATOMIC, &sa, audit_cb); + return aa_audit(type, profile, &sa, audit_cb); } /** @@ -133,11 +134,10 @@ int aa_capable(struct aa_profile *profile, int cap, int audit) { int error = profile_capable(profile, cap); - if (!audit) { - if (COMPLAIN_MODE(profile)) - return complain_error(error); - return error; + if (audit == SECURITY_CAP_NOAUDIT) { + if (!COMPLAIN_MODE(profile)) + return error; } - return audit_caps(profile, cap, error); + return audit_caps(profile, cap, audit, error); } |