UBUNTU: SAUCE: apparmor: Allow ns_root processes to open profiles file
BugLink: https://launchpad.net/bugs/1560583
Change the apparmorfs profiles file permissions check to better match
the old requirements before the apparmorfs permissions were changed to
allow profile loads inside of confined, first-level user namespaces.
Historically, the profiles file has been readable by the root user and
group. A recent change added the requirement that the process have the
CAP_MAC_ADMIN capability. This is a problem for confined processes since
keeping the 'capability mac_admin,' rule out of the AppArmor profile is
often desired.
This patch replaces the CAP_MAC_ADMIN requirement with a requirement
that the process is root in its user namespace.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>