apparmor: allow ns visibility question to consider subnses

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

security/apparmor/apparmorfs.c

@@ -750,7 +750,7 @@ static int seq_show_profile(struct seq_file *f, void *p)
 	struct aa_ns *root = f->private;
 
 	if (profile->ns != root)
-		seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
+		seq_printf(f, ":%s://", aa_ns_name(root, profile->ns, true));
 	seq_printf(f, "%s (%s)\n", profile->base.hname,
 		   aa_profile_mode_names[profile->mode]);
 

security/apparmor/include/policy_ns.h

@@ -74,8 +74,8 @@ extern struct aa_ns *root_ns;
 
 extern const char *aa_hidden_ns_name;
 
-bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view);
-const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child);
+bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns);
+const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child, bool subns);
 void aa_free_ns(struct aa_ns *ns);
 int aa_alloc_root_ns(void);
 void aa_free_root_ns(void);

security/apparmor/policy_ns.c

@@ -33,18 +33,23 @@ const char *aa_hidden_ns_name = "---";
  * aa_ns_visible - test if @view is visible from @curr
  * @curr: namespace to treat as the parent (NOT NULL)
  * @view: namespace to test if visible from @curr (NOT NULL)
+ * @subns: whether view of a subns is allowed
  *
  * Returns: true if @view is visible from @curr else false
  */
-bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view)
+bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns)
 {
 	if (curr == view)
 		return true;
 
+	if (!subns)
+		return false;
+
 	for ( ; view; view = view->parent) {
 		if (view->parent == curr)
 			return true;
 	}
+
 	return false;
 }
 
@@ -52,16 +57,17 @@ bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view)
  * aa_na_name - Find the ns name to display for @view from @curr
  * @curr - current namespace (NOT NULL)
  * @view - namespace attempting to view (NOT NULL)
+ * @subns - are subns visible
  *
  * Returns: name of @view visible from @curr
  */
-const char *aa_ns_name(struct aa_ns *curr, struct aa_ns *view)
+const char *aa_ns_name(struct aa_ns *curr, struct aa_ns *view, bool subns)
 {
 	/* if view == curr then the namespace name isn't displayed */
 	if (curr == view)
 		return "";
 
-	if (aa_ns_visible(curr, view)) {
+	if (aa_ns_visible(curr, view, subns)) {
 		/* at this point if a ns is visible it is in a view ns
 		 * thus the curr ns.hname is a prefix of its name.
 		 * Only output the virtualized portion of the name

security/apparmor/procattr.c

@@ -44,10 +44,10 @@ int aa_getprocattr(struct aa_profile *profile, char **string)
 	struct aa_ns *current_ns = __aa_current_profile()->ns;
 	char *s;
 
-	if (!aa_ns_visible(current_ns, ns))
+	if (!aa_ns_visible(current_ns, ns, true))
 		return -EACCES;
 
-	ns_name = aa_ns_name(current_ns, ns);
+	ns_name = aa_ns_name(current_ns, ns, true);
 	ns_len = strlen(ns_name);
 
 	/* if the visible ns_name is > 0 increase size for : :// seperator */