apparmor: allow restricting unprivileged change_profile - kernel

diff options

author	John Johansen <[email protected]>	2023-08-09 07:26:36 +0000
committer	John Johansen <[email protected]>	2023-10-18 22:48:44 +0000
commit	2d9da9b188b8cd3b579d7ef5ba5d334be9dd38fc (patch)
tree	3ddeaaf865425ba25becb5d22aa6173a59894298 /security/apparmor/audit.c
parent	apparmor: advertise disconnected.path is available (diff)
download	kernel-2d9da9b188b8cd3b579d7ef5ba5d334be9dd38fc.tar.gz kernel-2d9da9b188b8cd3b579d7ef5ba5d334be9dd38fc.zip

apparmor: allow restricting unprivileged change_profile

unprivileged unconfined can use change_profile to alter the confinement set by the mac admin. Allow restricting unprivileged unconfined by still allowing change_profile but stacking the change against unconfined. This allows unconfined to still apply system policy but allows the task to enter the new confinement. If unprivileged unconfined is required a sysctl is provided to switch to the previous behavior. Reviewed-by: Georgia Garcia <[email protected]> Signed-off-by: John Johansen <[email protected]>

Diffstat (limited to 'security/apparmor/audit.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: