summaryrefslogtreecommitdiff
path: root/security/apparmor/include
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-06-09 14:07:02 -0700
committerJohn Johansen <john.johansen@canonical.com>2017-06-10 17:11:40 -0700
commitc70c86c421427fd8487867de66c4104b15abd772 (patch)
tree0d742b0b9d2f2972b1f93aea3caf1a6c87b3b91b /security/apparmor/include
parent317d9a054e1c6d5f18b02b99ce09911942f8e603 (diff)
apparmor: move capability checks to using labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/include')
-rw-r--r--security/apparmor/include/capability.h6
1 files changed, 4 insertions, 2 deletions
diff --git a/security/apparmor/include/capability.h b/security/apparmor/include/capability.h
index 1218e95ebe49..e0304e2aeb7f 100644
--- a/security/apparmor/include/capability.h
+++ b/security/apparmor/include/capability.h
@@ -19,11 +19,12 @@
#include "apparmorfs.h"
-struct aa_profile;
+struct aa_label;
/* aa_caps - confinement data for capabilities
* @allowed: capabilities mask
* @audit: caps that are to be audited
+ * @denied: caps that are explicitly denied
* @quiet: caps that should not be audited
* @kill: caps that when requested will result in the task being killed
* @extended: caps that are subject finer grained mediation
@@ -31,6 +32,7 @@ struct aa_profile;
struct aa_caps {
kernel_cap_t allow;
kernel_cap_t audit;
+ kernel_cap_t denied;
kernel_cap_t quiet;
kernel_cap_t kill;
kernel_cap_t extended;
@@ -38,7 +40,7 @@ struct aa_caps {
extern struct aa_sfs_entry aa_sfs_entry_caps[];
-int aa_capable(struct aa_profile *profile, int cap, int audit);
+int aa_capable(struct aa_label *label, int cap, int audit);
static inline void aa_free_cap_rules(struct aa_caps *caps)
{