apparmor: pass cred through to audit info.

The cred is needed to properly audit some messages, and will be needed
in the future for uid conditional mediation. So pass it through to
where the apparmor_audit_data struct gets defined.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

1 files changed, 4 insertions, 1 deletions

diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
index 35979a832994..0b7d2b1086c9 100644
--- a/security/apparmor/capability.c
+++ b/security/apparmor/capability.c
@@ -140,6 +140,7 @@ static int profile_capable(struct aa_profile *profile, int cap,
 
 /**
  * aa_capable - test permission to use capability
+ * @subj_cread: cred we are testing capability against
  * @label: label being tested for capability (NOT NULL)
  * @cap: capability to be tested
  * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated
@@ -148,12 +149,14 @@ static int profile_capable(struct aa_profile *profile, int cap,
  *
  * Returns: 0 on success, or else an error code.
  */
-int aa_capable(struct aa_label *label, int cap, unsigned int opts)
+int aa_capable(const struct cred *subj_cred, struct aa_label *label,
+	       int cap, unsigned int opts)
 {
 	struct aa_profile *profile;
 	int error = 0;
 	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_CAP, AA_CLASS_CAP, OP_CAPABLE);
 
+	ad.subj_cred = subj_cred;
 	ad.common.u.cap = cap;
 	error = fn_for_each_confined(label, profile,
 			profile_capable(profile, cap, opts, &ad));