mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 16:35:02 +01:00
35 lines
967 B
Diff
35 lines
967 B
Diff
Index: b/security/apparmor/lsm.c
|
|
===================================================================
|
|
--- a/security/apparmor/lsm.c
|
|
+++ b/security/apparmor/lsm.c
|
|
@@ -467,6 +467,22 @@ out:
|
|
return error;
|
|
}
|
|
|
|
+static int apparmor_task_create(unsigned long clone_flags)
|
|
+{
|
|
+ struct aa_profile *profile;
|
|
+ int error = 0;
|
|
+
|
|
+ profile = aa_get_profile(current);
|
|
+ if (profile) {
|
|
+ /* Don't allow to create new namespaces. */
|
|
+ if (clone_flags & CLONE_NEWNS)
|
|
+ error = -EPERM;
|
|
+ }
|
|
+ aa_put_profile(profile);
|
|
+
|
|
+ return error;
|
|
+}
|
|
+
|
|
static int apparmor_file_alloc_security(struct file *file)
|
|
{
|
|
struct aa_profile *profile;
|
|
@@ -714,6 +730,7 @@ struct security_operations apparmor_ops
|
|
.file_mmap = apparmor_file_mmap,
|
|
.file_mprotect = apparmor_file_mprotect,
|
|
|
|
+ .task_create = apparmor_task_create,
|
|
.task_alloc_security = apparmor_task_alloc_security,
|
|
.task_free_security = apparmor_task_free_security,
|
|
.task_post_setuid = apparmor_task_post_setuid,
|