apparmor: Fix internal policy capable check for policy management

The check was incorrectly treating a returned error as a boolean. Fixes: 31ec99e1 ("apparmor: switch to apparmor to internal capable check for policy management") Signed-off-by: John Johansen <john.johansen@canonical.com>

apparmor: Fix internal policy capable check for policy management
The check was incorrectly treating a returned error as a boolean. Fixes: 31ec99e1 ("apparmor: switch to apparmor to internal capable check for policy management") Signed-off-by: John Johansen <john.johansen@canonical.com>
dc155617 · John Johansen · d108370c · dc155617
Commit dc155617 authored Apr 03, 2021 by John Johansen
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

security/apparmor/policy.c security/apparmor/policy.c +1 -1

No files found.
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -678,7 +678,7 @@ bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns)
 bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns)
 {
 	struct user_namespace *user_ns = current_user_ns();
-	bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN);
+	bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN) == 0;
 	AA_DEBUG("cap_mac_admin? %d\n", capable);
 	AA_DEBUG("policy locked? %d\n", aa_g_lock_policy);