commit c70c86c421427fd8487867de66c4104b15abd772
author John Johansen <john.johansen@canonical.com> Fri Jun 09 14:07:02 2017 -0700
committer John Johansen <john.johansen@canonical.com> Sat Jun 10 17:11:40 2017 -0700
tree 0d742b0b9d2f2972b1f93aea3caf1a6c87b3b91b
parent 317d9a054e1c6d5f18b02b99ce09911942f8e603

apparmor: move capability checks to using labels

Signed-off-by: John Johansen <john.johansen@canonical.com>

security/apparmor/include/capability.h

diff --git a/security/apparmor/include/capability.h b/security/apparmor/include/capability.h
index 1218e95..e0304e2 100644
--- a/security/apparmor/include/capability.h
+++ b/security/apparmor/include/capability.h
@@ -19,11 +19,12 @@
 
 #include "apparmorfs.h"
 
-struct aa_profile;
+struct aa_label;
 
 /* aa_caps - confinement data for capabilities
  * @allowed: capabilities mask
  * @audit: caps that are to be audited
+ * @denied: caps that are explicitly denied
  * @quiet: caps that should not be audited
  * @kill: caps that when requested will result in the task being killed
  * @extended: caps that are subject finer grained mediation
@@ -31,6 +32,7 @@ struct aa_profile;
 struct aa_caps {
 	kernel_cap_t allow;
 	kernel_cap_t audit;
+	kernel_cap_t denied;
 	kernel_cap_t quiet;
 	kernel_cap_t kill;
 	kernel_cap_t extended;
@@ -38,7 +40,7 @@ struct aa_caps {
 
 extern struct aa_sfs_entry aa_sfs_entry_caps[];
 
-int aa_capable(struct aa_profile *profile, int cap, int audit);
+int aa_capable(struct aa_label *label, int cap, int audit);
 
 static inline void aa_free_cap_rules(struct aa_caps *caps)
 {