[apparmor] [PATCH 01/27] apparmor: fix auditing of domain transition failures due to incomplete policy

Wed Nov 21 19:41:16 UTC 2012

Hello,

Am Dienstag, 20. November 2012 schrieb John Johansen:
> When policy specifies a transition to a profile that is not currently
> loaded, it result in exec being denied.  However the failure is not
> being audited correctly audited if only auditing denials.
> 
> This is because the exec permission is was granted and is still set in
> the mask but the audit code is using this to mask of permissions
> requests that where granted.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  security/apparmor/domain.c |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> index 60f0c76..2cbb9df 100644
> --- a/security/apparmor/domain.c
> +++ b/security/apparmor/domain.c
> @@ -443,6 +443,7 @@ int apparmor_bprm_set_creds(struct linux_binprm
> *bprm) } else {
>  				error = -ENOENT;
>  				info = "profile not found";
> +				perms.allow &= ~MAY_EXEC;
>  			}
>  		}
>  	} else if (COMPLAIN_MODE(profile)) {

A maybe silly question, with the usual disclaimer that I don't know the 
code around: How permanent/global is the removal of MAY_EXEC?

Let's assume 
- the profile contains   /bin/* Px,
- the program wants to execute /bin/foo and /bin/bar
- there is no profile for /bin/foo
- a profile for /bin/bar is loaded

Now your code removes the MAY_EXEC permission when trying to execute 
/bin/foo. Will /bin/bar still be allowed to be executed?

(And, as Steve already wrote, please add a comment to the code 
explaining why you modify perms.allow.)

Regards,

Christian Boltz
-- 
2 min spaeter... "Hach, so sind sie meine Jungens..." Lach... :-)
Echt, wie die kleinen Bengels... Und nu kommt nicht mit    "Mama,
der hat aber angefangen und sich nicht an die Etikette gehalten".
[Jessica Bleche in suse-linux]