Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 038165070aa55375d4bdd2f84b34a486feca63d6^! / . / security / apparmor / policy.c
commit038165070aa55375d4bdd2f84b34a486feca63d6[log] [tgz]
authorJohn Johansen <john.johansen@canonical.com>Wed Jul 10 21:12:43 2013 -0700
committerJohn Johansen <john.johansen@canonical.com>Wed Aug 14 11:42:07 2013 -0700
tree327014e8b5120a0ccc66418159c72f769e9b174d
parent8651e1d6572bc2c061073f05fabcd7175789259d [diff] [blame]
apparmor: allow setting any profile into the unconfined state

Allow emulating the default profile behavior from boot, by allowing
loading of a profile in the unconfined state into a new NS.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 7a80b0c..2e4e2ec 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c

@@ -96,6 +96,7 @@
 	"enforce",
 	"complain",
 	"kill",
+	"unconfined",
 };
 
 /**
@@ -290,8 +291,9 @@
 	if (!ns->unconfined)
 		goto fail_unconfined;
 
-	ns->unconfined->flags = PFLAG_UNCONFINED | PFLAG_IX_ON_NAME_ERROR |
-	    PFLAG_IMMUTABLE | PFLAG_NS_COUNT;
+	ns->unconfined->flags = PFLAG_IX_ON_NAME_ERROR |
+		PFLAG_IMMUTABLE | PFLAG_NS_COUNT;
+	ns->unconfined->mode = APPARMOR_UNCONFINED;
 
 	/* ns and ns->unconfined share ns->unconfined refcount */
 	ns->unconfined->ns = ns;