Skip to content

L
linux
Commit f95a502b authored by Tyler Hicks's avatar Tyler Hicks Committed by Tim Gardner
Browse files
Options

UBUNTU: SAUCE: apparmor: Consult sysctl when reading profiles in a user ns 

BugLink: https://launchpad.net/bugs/1560583

Check the value of the unprivileged_userns_apparmor_policy sysctl when a
namespace root process attempts to read the apparmorfs profiles file.
Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
Signed-off-by: default avatarTim Gardner <tim.gardner@canonical.com>
parent 7c0f2425
Hide whitespace changes
Inline Side-by-side
Showing with 2 additions and 1 deletion
security/apparmor/policy.c
View file @ f95a502b
......@@ -625,7 +625,8 @@ bool policy_admin_capable(void)
if (ns_capable(user_ns, CAP_MAC_ADMIN) &&
(user_ns == &init_user_ns ||
(user_ns->level == 1 && ns != root_ns)))
(unprivileged_userns_apparmor_policy != 0 &&
user_ns->level == 1 && ns != root_ns)))
response = true;
aa_put_ns(ns);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7