summaryrefslogtreecommitdiffstats
path: root/security/apparmor/capability.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/apparmor/capability.c')
-rw-r--r--security/apparmor/capability.c26
1 files changed, 13 insertions, 13 deletions
diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
index 1101c6f64bb7..ed0a3e6b8022 100644
--- a/security/apparmor/capability.c
+++ b/security/apparmor/capability.c
@@ -15,6 +15,7 @@
#include <linux/capability.h>
#include <linux/errno.h>
#include <linux/gfp.h>
+#include <linux/security.h>
#include "include/apparmor.h"
#include "include/capability.h"
@@ -55,6 +56,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
* audit_caps - audit a capability
* @profile: profile being tested for confinement (NOT NULL)
* @cap: capability tested
+ @audit: whether an audit record should be generated
* @error: error code returned by test
*
* Do auditing of capability and handle, audit/complain/kill modes switching
@@ -62,17 +64,16 @@ static void audit_cb(struct audit_buffer *ab, void *va)
*
* Returns: 0 or sa->error on success, error code on failure
*/
-static int audit_caps(struct aa_profile *profile, int cap, int error)
+static int audit_caps(struct aa_profile *profile, int cap, int audit,
+ int error)
{
struct audit_cache *ent;
int type = AUDIT_APPARMOR_AUTO;
- struct common_audit_data sa;
- struct apparmor_audit_data aad = {0,};
- sa.type = LSM_AUDIT_DATA_CAP;
- sa.aad = &aad;
+ DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, OP_CAPABLE);
sa.u.cap = cap;
- sa.aad->op = OP_CAPABLE;
- sa.aad->error = error;
+ aad(&sa)->error = error;
+ if (audit == SECURITY_CAP_NOAUDIT)
+ aad(&sa)->info = "optional: no audit";
if (likely(!error)) {
/* test if auditing is being forced */
@@ -104,7 +105,7 @@ static int audit_caps(struct aa_profile *profile, int cap, int error)
}
put_cpu_var(audit_cache);
- return aa_audit(type, profile, GFP_ATOMIC, &sa, audit_cb);
+ return aa_audit(type, profile, &sa, audit_cb);
}
/**
@@ -133,11 +134,10 @@ int aa_capable(struct aa_profile *profile, int cap, int audit)
{
int error = profile_capable(profile, cap);
- if (!audit) {
- if (COMPLAIN_MODE(profile))
- return complain_error(error);
- return error;
+ if (audit == SECURITY_CAP_NOAUDIT) {
+ if (!COMPLAIN_MODE(profile))
+ return error;
}
- return audit_caps(profile, cap, error);
+ return audit_caps(profile, cap, audit, error);
}