diff options
author | John Johansen <john.johansen@canonical.com> | 2017-01-16 00:42:25 -0800 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2017-01-16 01:18:22 -0800 |
commit | 92b6d8eff55f8dca57ade26e1dde2c3b6acdae02 (patch) | |
tree | fbfa2973ecd4185de867f62e37878077a0738904 /security/apparmor/policy_ns.c | |
parent | 31617ddfdd7764a5046f076247208aa324458069 (diff) | |
download | linux-92b6d8eff55f8dca57ade26e1dde2c3b6acdae02.tar.gz linux-92b6d8eff55f8dca57ade26e1dde2c3b6acdae02.tar.bz2 linux-92b6d8eff55f8dca57ade26e1dde2c3b6acdae02.zip |
apparmor: allow ns visibility question to consider subnses
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/policy_ns.c')
-rw-r--r-- | security/apparmor/policy_ns.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/security/apparmor/policy_ns.c b/security/apparmor/policy_ns.c index bab23cce197c..e7b7a829532e 100644 --- a/security/apparmor/policy_ns.c +++ b/security/apparmor/policy_ns.c @@ -33,18 +33,23 @@ const char *aa_hidden_ns_name = "---"; * aa_ns_visible - test if @view is visible from @curr * @curr: namespace to treat as the parent (NOT NULL) * @view: namespace to test if visible from @curr (NOT NULL) + * @subns: whether view of a subns is allowed * * Returns: true if @view is visible from @curr else false */ -bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view) +bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns) { if (curr == view) return true; + if (!subns) + return false; + for ( ; view; view = view->parent) { if (view->parent == curr) return true; } + return false; } @@ -52,16 +57,17 @@ bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view) * aa_na_name - Find the ns name to display for @view from @curr * @curr - current namespace (NOT NULL) * @view - namespace attempting to view (NOT NULL) + * @subns - are subns visible * * Returns: name of @view visible from @curr */ -const char *aa_ns_name(struct aa_ns *curr, struct aa_ns *view) +const char *aa_ns_name(struct aa_ns *curr, struct aa_ns *view, bool subns) { /* if view == curr then the namespace name isn't displayed */ if (curr == view) return ""; - if (aa_ns_visible(curr, view)) { + if (aa_ns_visible(curr, view, subns)) { /* at this point if a ns is visible it is in a view ns * thus the curr ns.hname is a prefix of its name. * Only output the virtualized portion of the name |