apparmor: Fix internal policy capable check for policy management

The check was incorrectly treating a returned error as a boolean. Fixes: 31ec99e13346 ("apparmor: switch to apparmor to internal capable check for policy management") Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen 2021-04-03 11:07:37 -0700
committer: John Johansen 2021-11-01 13:05:40 -0700
commit: dc155617fa5bf5bddbeb99dc781dd011ed23b90f (patch)
tree: 48de76d59c8d2d2d99822d553319cbfb97a6f753
parent: d108370c644b153382632b3e5511ade575c91c86 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 9ce93966401a..4da4f3df9d4a 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -678,7 +678,7 @@ bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns)
 bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns)
 {
 	struct user_namespace *user_ns = current_user_ns();
-	bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN);
+	bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN) == 0;
 
 	AA_DEBUG("cap_mac_admin? %d\n", capable);
 	AA_DEBUG("policy locked? %d\n", aa_g_lock_policy);
author	John Johansen	2021-04-03 11:07:37 -0700
committer	John Johansen	2021-11-01 13:05:40 -0700
commit	dc155617fa5bf5bddbeb99dc781dd011ed23b90f (patch)
tree	48de76d59c8d2d2d99822d553319cbfb97a6f753
parent	d108370c644b153382632b3e5511ade575c91c86 (diff)