[apparmor] [PATCH 01/27] apparmor: fix auditing of domain transition failures due to incomplete policy

[John Johansen]

On 11/21/2012 11:41 AM, Christian Boltz wrote:
> Hello,
> 
> Am Dienstag, 20. November 2012 schrieb John Johansen:
>> When policy specifies a transition to a profile that is not currently
>> loaded, it result in exec being denied.  However the failure is not
>> being audited correctly audited if only auditing denials.
>>
>> This is because the exec permission is was granted and is still set in
>> the mask but the audit code is using this to mask of permissions
>> requests that where granted.
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>> ---
>>  security/apparmor/domain.c |    1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
>> index 60f0c76..2cbb9df 100644
>> --- a/security/apparmor/domain.c
>> +++ b/security/apparmor/domain.c
>> @@ -443,6 +443,7 @@ int apparmor_bprm_set_creds(struct linux_binprm
>> *bprm) } else {
>>  				error = -ENOENT;
>>  				info = "profile not found";
>> +				perms.allow &= ~MAY_EXEC;
>>  			}
>>  		}
>>  	} else if (COMPLAIN_MODE(profile)) {
> 
> A maybe silly question, with the usual disclaimer that I don't know the 
> code around: How permanent/global is the removal of MAY_EXEC?
> 
> Let's assume 
> - the profile contains   /bin/* Px,
> - the program wants to execute /bin/foo and /bin/bar
> - there is no profile for /bin/foo
> - a profile for /bin/bar is loaded
> 
> Now your code removes the MAY_EXEC permission when trying to execute 
> /bin/foo. Will /bin/bar still be allowed to be executed?

Its not at all permanent or global, its only removing it for this single
instance, of this single lookup. If the exec is tried again it will lookup
the permission and go through the same thing if it can't find the profile.

So if you load a profile to fix the problem between attempts the failure
will go away