aboutsummaryrefslogtreecommitdiffstats
diff options
authorRyan Lee <ryan.lee@canonical.com>2024-08-23 10:14:02 -0700
committerJohn Johansen <john.johansen@canonical.com>2024-11-09 10:29:08 -0800
commitee650b3820f3d127a31c589101b60fbb28e53989 (patch)
tree0630cf3810c6dbe1b598d0d5872e6ec87f004379
parent2b05c4cd52bc71dd60718f29713088c95ad9388d (diff)
downloadath-ee650b3820f3.tar.gz
apparmor: properly handle cx/px lookup failure for complain
Notice: this object is not reachable from any branch.
mode profiles When a cx/px lookup fails, apparmor would deny execution of the binary even in complain mode (where it would audit as allowing execution while actually denying it). Instead, in complain mode, create a new learning profile, just as would have been done if the cx/px line wasn't there. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
Notice: this object is not reachable from any branch.
-rw-r--r--security/apparmor/domain.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 571158ec6188f..eda47df61d285 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -681,12 +681,17 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
/* hack ix fallback - improve how this is detected */
goto audit;
} else if (!new) {
- error = -EACCES;
info = "profile transition not found";
- /* remove MAY_EXEC to audit as failure */
+ /* remove MAY_EXEC to audit as failure or complaint */
perms.allow &= ~MAY_EXEC;
+ if (COMPLAIN_MODE(profile)) {
+ /* create null profile instead of failing */
+ goto create_learning_profile;
+ }
+ error = -EACCES;
}
} else if (COMPLAIN_MODE(profile)) {
+create_learning_profile:
/* no exec permission - learning mode */
struct aa_profile *new_profile = NULL;