]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/commitdiff
projects / mirror_ubuntu-zesty-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8ccc176)
UBUNTU: SAUCE: apparmor: Consult sysctl when reading profiles in a user ns
authorTyler Hicks <tyhicks@canonical.com>
Wed, 23 Mar 2016 21:41:33 +0000 (16:41 -0500)
committerTim Gardner <tim.gardner@canonical.com>
Mon, 20 Feb 2017 03:57:58 +0000 (20:57 -0700)
BugLink: https://launchpad.net/bugs/1560583
Check the value of the unprivileged_userns_apparmor_policy sysctl when a
namespace root process attempts to read the apparmorfs profiles file.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
security/apparmor/policy.c patch | blob | blame | history

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index bab3d0cc0e52e0ddcd3d87a2423bc60f3e08b47f..57135d51b3ea2d112fbe15af3b4beda21c95fbb5 100644 (file)
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -625,7 +625,8 @@ bool policy_admin_capable(void)
 
        if (ns_capable(user_ns, CAP_MAC_ADMIN) &&
            (user_ns == &init_user_ns ||
-            (user_ns->level == 1 && ns != root_ns)))
+            (unprivileged_userns_apparmor_policy != 0 &&
+             user_ns->level == 1 && ns != root_ns)))
                response = true;
        aa_put_ns(ns);
 
ubuntu-zesty-kernel mirror