diff options
| author | Ryan Lee <ryan.lee@canonical.com> | 2024-08-23 19:14:02 +0200 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2024-11-27 04:21:05 +0100 |
| commit | db93ca15e5aefe868ef095ee830a205f70f38b6e (patch) | |
| tree | 8d5f43d7d52a2e809f56302b909d7fb77462f466 /security | |
| parent | apparmor: allocate xmatch for nullpdb inside aa_alloc_null (diff) | |
| download | linux-db93ca15e5aefe868ef095ee830a205f70f38b6e.tar.xz linux-db93ca15e5aefe868ef095ee830a205f70f38b6e.zip | |
apparmor: properly handle cx/px lookup failure for complain
mode profiles
When a cx/px lookup fails, apparmor would deny execution of the binary
even in complain mode (where it would audit as allowing execution while
actually denying it). Instead, in complain mode, create a new learning
profile, just as would have been done if the cx/px line wasn't there.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/apparmor/domain.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 2bc34dce9a46..55f250f5e2ac 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -680,12 +680,17 @@ static struct aa_label *profile_transition(const struct cred *subj_cred, /* hack ix fallback - improve how this is detected */ goto audit; } else if (!new) { - error = -EACCES; info = "profile transition not found"; - /* remove MAY_EXEC to audit as failure */ + /* remove MAY_EXEC to audit as failure or complaint */ perms.allow &= ~MAY_EXEC; + if (COMPLAIN_MODE(profile)) { + /* create null profile instead of failing */ + goto create_learning_profile; + } + error = -EACCES; } } else if (COMPLAIN_MODE(profile)) { +create_learning_profile: /* no exec permission - learning mode */ struct aa_profile *new_profile = NULL; |