diff options
author | John Johansen <john.johansen@canonical.com> | 2017-06-09 14:07:02 -0700 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2017-06-10 17:11:40 -0700 |
commit | c70c86c421427fd8487867de66c4104b15abd772 (patch) | |
tree | 0d742b0b9d2f2972b1f93aea3caf1a6c87b3b91b /security/apparmor/include | |
parent | 317d9a054e1c6d5f18b02b99ce09911942f8e603 (diff) |
apparmor: move capability checks to using labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/include')
-rw-r--r-- | security/apparmor/include/capability.h | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/security/apparmor/include/capability.h b/security/apparmor/include/capability.h index 1218e95ebe49..e0304e2aeb7f 100644 --- a/security/apparmor/include/capability.h +++ b/security/apparmor/include/capability.h @@ -19,11 +19,12 @@ #include "apparmorfs.h" -struct aa_profile; +struct aa_label; /* aa_caps - confinement data for capabilities * @allowed: capabilities mask * @audit: caps that are to be audited + * @denied: caps that are explicitly denied * @quiet: caps that should not be audited * @kill: caps that when requested will result in the task being killed * @extended: caps that are subject finer grained mediation @@ -31,6 +32,7 @@ struct aa_profile; struct aa_caps { kernel_cap_t allow; kernel_cap_t audit; + kernel_cap_t denied; kernel_cap_t quiet; kernel_cap_t kill; kernel_cap_t extended; @@ -38,7 +40,7 @@ struct aa_caps { extern struct aa_sfs_entry aa_sfs_entry_caps[]; -int aa_capable(struct aa_profile *profile, int cap, int audit); +int aa_capable(struct aa_label *label, int cap, int audit); static inline void aa_free_cap_rules(struct aa_caps *caps) { |