git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/commit

author	Tyler Hicks <tyhicks@canonical.com>
	Wed, 23 Mar 2016 21:26:20 +0000 (16:26 -0500)
committer	Tim Gardner <tim.gardner@canonical.com>
	Mon, 20 Feb 2017 03:57:58 +0000 (20:57 -0700)
commit	8ccc1769885c5125876e801e997ea9b0c27e4002
tree	65409b470823bcafa8d1bf439a257769f15992d0	tree
parent	856924548b09b777e824829c52cd06304b8e9abc	commit \| diff

UBUNTU: SAUCE: apparmor: Allow ns_root processes to open profiles file

BugLink: https://launchpad.net/bugs/1560583
Change the apparmorfs profiles file permissions check to better match
the old requirements before the apparmorfs permissions were changed to
allow profile loads inside of confined, first-level user namespaces.

Historically, the profiles file has been readable by the root user and
group. A recent change added the requirement that the process have the
CAP_MAC_ADMIN capability. This is a problem for confined processes since
keeping the 'capability mac_admin,' rule out of the AppArmor profile is
often desired.

This patch replaces the CAP_MAC_ADMIN requirement with a requirement
that the process is root in its user namespace.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

security/apparmor/apparmorfs.c		diff \| blob \| blame \| history
security/apparmor/include/policy.h		diff \| blob \| blame \| history
security/apparmor/policy.c		diff \| blob \| blame \| history