diff options
| author | Ryan Lee <ryan.lee@canonical.com> | 2024-08-23 10:14:02 -0700 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2024-11-09 10:29:08 -0800 |
| commit | ee650b3820f3d127a31c589101b60fbb28e53989 (patch) | |
| tree | 0630cf3810c6dbe1b598d0d5872e6ec87f004379 | |
| parent | 2b05c4cd52bc71dd60718f29713088c95ad9388d (diff) | |
| download | ath-ee650b3820f3.tar.gz | |
apparmor: properly handle cx/px lookup failure for complain
Notice: this object is not reachable from any branch.
mode profiles
When a cx/px lookup fails, apparmor would deny execution of the binary
even in complain mode (where it would audit as allowing execution while
actually denying it). Instead, in complain mode, create a new learning
profile, just as would have been done if the cx/px line wasn't there.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Notice: this object is not reachable from any branch.
| -rw-r--r-- | security/apparmor/domain.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 571158ec6188f..eda47df61d285 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -681,12 +681,17 @@ static struct aa_label *profile_transition(const struct cred *subj_cred, /* hack ix fallback - improve how this is detected */ goto audit; } else if (!new) { - error = -EACCES; info = "profile transition not found"; - /* remove MAY_EXEC to audit as failure */ + /* remove MAY_EXEC to audit as failure or complaint */ perms.allow &= ~MAY_EXEC; + if (COMPLAIN_MODE(profile)) { + /* create null profile instead of failing */ + goto create_learning_profile; + } + error = -EACCES; } } else if (COMPLAIN_MODE(profile)) { +create_learning_profile: /* no exec permission - learning mode */ struct aa_profile *new_profile = NULL; |
