Commit 35fad5b4 authored by John Johansen's avatar John Johansen
Browse files

apparmor: remove explicit restriction that unconfined cannot use change_hat 



There does not need to be an explicit restriction that unconfined
can't use change_hat. Traditionally unconfined doesn't have hats
so change_hat could not be used. But newer unconfined profiles have
the potential of having hats, and even system unconfined will be
able to be replaced with a profile that allows for hats.

To remain backwards compitible with expected return codes, continue
to return -EPERM if the unconfined profile does not have any hats.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent cd769b05

security/apparmor/apparmorfs.c

+1 −0
Original line number Diff line number Diff line
@@ -2332,6 +2332,7 @@ static struct aa_sfs_entry aa_sfs_entry_attach[] = { 
static struct aa_sfs_entry aa_sfs_entry_domain[] = {

	AA_SFS_FILE_BOOLEAN("change_hat",	1),

	AA_SFS_FILE_BOOLEAN("change_hatv",	1),

	AA_SFS_FILE_BOOLEAN("unconfined_allowed_children",	1),

	AA_SFS_FILE_BOOLEAN("change_onexec",	1),

	AA_SFS_FILE_BOOLEAN("change_profile",	1),

	AA_SFS_FILE_BOOLEAN("stack",		1),

security/apparmor/domain.c

+17 −3
Original line number Diff line number Diff line
@@ -1186,11 +1186,25 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags) 
	if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)

		ctx->nnp = aa_get_label(label);



	/* return -EPERM when unconfined doesn't have children to avoid

	 * changing the traditional error code for unconfined.

	 */

	if (unconfined(label)) {

		struct label_it i;

		bool empty = true;



		rcu_read_lock();

		label_for_each_in_ns(i, labels_ns(label), label, profile) {

			empty &= list_empty(&profile->base.profiles);

		}

		rcu_read_unlock();



		if (empty) {

			info = "unconfined can not change_hat";

			error = -EPERM;

			goto fail;

		}

	}



	if (count) {

		new = change_hat(subj_cred, label, hats, count, flags);