summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2021-04-03 20:07:37 +0200
committerJohn Johansen <john.johansen@canonical.com>2021-11-01 21:05:40 +0100
commitdc155617fa5bf5bddbeb99dc781dd011ed23b90f (patch)
tree48de76d59c8d2d2d99822d553319cbfb97a6f753 /security
parentapparmor: fix error check (diff)
downloadlinux-dc155617fa5bf5bddbeb99dc781dd011ed23b90f.tar.xz
linux-dc155617fa5bf5bddbeb99dc781dd011ed23b90f.zip
apparmor: Fix internal policy capable check for policy management
The check was incorrectly treating a returned error as a boolean. Fixes: 31ec99e13346 ("apparmor: switch to apparmor to internal capable check for policy management") Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/policy.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 9ce93966401a..4da4f3df9d4a 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -678,7 +678,7 @@ bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns)
bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns)
{
struct user_namespace *user_ns = current_user_ns();
- bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN);
+ bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN) == 0;
AA_DEBUG("cap_mac_admin? %d\n", capable);
AA_DEBUG("policy locked? %d\n", aa_g_lock_policy);