apparmor: Fix internal policy capable check for policy management

jrjohansen · jrjohansen · commit dc155617fa5b · 2021-11-01T13:05:40.000-07:00
The check was incorrectly treating a returned error as a boolean. Fixes: 31ec99e ("apparmor: switch to apparmor to internal capable check for policy management") Signed-off-by: John Johansen <john.johansen@canonical.com>
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
@@ -678,7 +678,7 @@ bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns)
 bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns)
 {
 	struct user_namespace *user_ns = current_user_ns();
-	bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN);
+	bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN) == 0;
 
 	AA_DEBUG("cap_mac_admin? %d\n", capable);
 	AA_DEBUG("policy locked? %d\n", aa_g_lock_policy);

Original file line number	Diff line number	Diff line change
`@@ -678,7 +678,7 @@ bool aa_policy_view_capable(struct aa_label label, struct aa_ns ns)`
`678`	`678`	`bool aa_policy_admin_capable(struct aa_label label, struct aa_ns ns)`
`679`	`679`	`{`
`680`	`680`	`struct user_namespace *user_ns = current_user_ns();`
`681`		`- bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN);`
	`681`	`+ bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN) == 0;`
`682`	`682`
`683`	`683`	`AA_DEBUG("cap_mac_admin? %d\n", capable);`
`684`	`684`	`AA_DEBUG("policy locked? %d\n", aa_g_lock_policy);`