return profile->audit;
}
+bool policy_view_capable(void);
bool policy_admin_capable(void);
bool aa_may_open_profiles(void);
int aa_may_manage_policy(struct aa_label *label, u32 mask);
{
if (!policy_admin_capable())
return -EPERM;
- if (aa_g_lock_policy)
- return -EACCES;
return param_set_bool(val, kp);
}
static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
{
- if (!policy_admin_capable())
+ if (!policy_view_capable())
return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
static int param_get_aabool(char *buffer, const struct kernel_param *kp)
{
- if (!policy_admin_capable())
+ if (!policy_view_capable())
return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
static int param_get_aauint(char *buffer, const struct kernel_param *kp)
{
- if (!policy_admin_capable())
+ if (!policy_view_capable())
return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
static int param_get_audit(char *buffer, struct kernel_param *kp)
{
- if (!policy_admin_capable())
+ if (!policy_view_capable())
return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
static int param_get_mode(char *buffer, struct kernel_param *kp)
{
- if (!policy_admin_capable())
+ if (!policy_view_capable())
return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
return error;
}
-bool policy_admin_capable(void)
+bool policy_view_capable(void)
{
struct user_namespace *user_ns = current_user_ns();
struct aa_ns *ns = aa_get_current_ns();
return response;
}
+bool policy_admin_capable(void)
+{
+ return policy_view_capable() && !aa_g_lock_policy;
+}
+
bool aa_may_open_profiles(void)
{
struct user_namespace *user_ns = current_user_ns();