[apparmor] Pesky '=' in subj= of audit in mainline
John Johansen
john.johansen at canonical.com
Tue Dec 14 00:28:09 UTC 2021
On 12/13/21 9:48 AM, Casey Schaufler wrote:
> The Ubuntu kernel has "subj=unconfined" in its audit records.
> The Linus v5.16-rc4 kernel has "subj==unconfined".
>
> I see in the upstream where the extra "=" comes from, but I
I assume this is from
label.c:
1634: if (flags & FLAG_ABS_ROOT) {
1635: ns = root_ns;
1636: len = snprintf(str, size, "=");
1637: update_for_len(total, len, size, str);
1638: } else if (!ns) {
Its is called when secids are being used without context.
this was an unfortunate choice made long ago. It is something
I have looked at removing, and if this is rearing its head
with upstream kernels we will have to fix it asap.
> don't see how to get to that code. I have not looked into the
> patches Ubuntu is using, but there must be something.
>
You won't find the code that calls this for some Ubuntu kernels
because secid auditing was reverted so the LSM stacking patches
could be used with extended network mediation (af_unix) could be
used without issues.
This is something that needs to be fixed as well.
More information about the AppArmor
mailing list