[apparmor] [PATCH 01/27] apparmor: fix auditing of domain transition failures due to incomplete policy
Steve Beattie
steve at nxnw.org
Wed Nov 21 14:43:29 UTC 2012
On Tue, Nov 20, 2012 at 08:39:41PM -0800, John Johansen wrote:
> When policy specifies a transition to a profile that is not currently
> loaded, it result in exec being denied. However the failure is not being
> audited correctly audited if only auditing denials.
>
> This is because the exec permission is was granted and is still set in
> the mask but the audit code is using this to mask of permissions requests
> that where granted.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-By: Steve Beattie <sbeattie at ubuntu.com> though a comment
explaining why you're manipulating perms.allow might be nice.
I can't decide if the need to do this feels like a failing of the
aa_audit_file() API.
> ---
> security/apparmor/domain.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> index 60f0c76..2cbb9df 100644
> --- a/security/apparmor/domain.c
> +++ b/security/apparmor/domain.c
> @@ -443,6 +443,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
> } else {
> error = -ENOENT;
> info = "profile not found";
> + perms.allow &= ~MAY_EXEC;
> }
> }
> } else if (COMPLAIN_MODE(profile)) {
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20121121/742c15d7/attachment.pgp>
More information about the AppArmor
mailing list