git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	John Johansen <john.johansen@canonical.com>
	Wed, 9 Aug 2023 07:26:36 +0000 (00:26 -0700)
committer	John Johansen <john.johansen@canonical.com>
	Wed, 18 Oct 2023 22:48:44 +0000 (15:48 -0700)
commit	2d9da9b188b8cd3b579d7ef5ba5d334be9dd38fc
tree	3ddeaaf865425ba25becb5d22aa6173a59894298	tree \| snapshot
parent	e105d8079f82819f4773c4853dc199e195fedf40	commit \| diff

apparmor: allow restricting unprivileged change_profile

unprivileged unconfined can use change_profile to alter the confinement
set by the mac admin.

Allow restricting unprivileged unconfined by still allowing change_profile
but stacking the change against unconfined. This allows unconfined to
still apply system policy but allows the task to enter the new confinement.

If unprivileged unconfined is required a sysctl is provided to switch
to the previous behavior.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

security/apparmor/apparmorfs.c		diff \| blob \| blame \| history
security/apparmor/domain.c		diff \| blob \| blame \| history
security/apparmor/include/policy.h		diff \| blob \| blame \| history
security/apparmor/lsm.c		diff \| blob \| blame \| history
security/apparmor/policy.c		diff \| blob \| blame \| history