From: John Johansen <john.johansen@canonical.com>
Date: Sat, 3 Apr 2021 18:07:37 +0000 (-0700)
Subject: apparmor: Fix internal policy capable check for policy management
X-Git-Tag: v6.1-rc5~2655^2~8
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=dc155617fa5bf5bddbeb99dc781dd011ed23b90f;p=platform%2Fkernel%2Flinux-starfive.git

apparmor: Fix internal policy capable check for policy management

The check was incorrectly treating a returned error as a boolean.

Fixes: 31ec99e13346 ("apparmor: switch to apparmor to internal capable check for policy management")
Signed-off-by: John Johansen <john.johansen@canonical.com>
---

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 9ce9396..4da4f3d 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -678,7 +678,7 @@ bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns)
 bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns)
 {
 	struct user_namespace *user_ns = current_user_ns();
-	bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN);
+	bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN) == 0;
 
 	AA_DEBUG("cap_mac_admin? %d\n", capable);
 	AA_DEBUG("policy locked? %d\n", aa_g_lock_policy);