[apparmor] [PATCH 4/4] apparmor: force auditing of conflicting attachment execs from confined

Thu Jun 12 21:24:21 UTC 2025

Update: turns out that this patch has a small but critical
typographical error (both the perms modification lines should be under
the conditional in braces), so we'll be sending a fixed patch as a v2.

On Thu, May 1, 2025 at 5:56 PM Ryan Lee <ryan.lee at canonical.com> wrote:
>
> Conflicting attachment paths are an error state that result in the
> binary in question executing under an unexpected ix/ux fallback. As such,
> it should be audited to record the occurrence of conflicting attachments.
>
> Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
> ---
>  security/apparmor/domain.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> index e8cd9badfb54..b33ce6be9427 100644
> --- a/security/apparmor/domain.c
> +++ b/security/apparmor/domain.c
> @@ -724,6 +724,14 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
>                 new = x_to_label(profile, bprm, name, perms.xindex, &target,
>                                  &info);
>                 if (new && new->proxy == profile->label.proxy && info) {
> +                       /* Force audit on conflicting attachment fallback
> +                        * Because perms is never used again after this audit
> +                        * we don't need to care about clobbering it
> +                        */
> +                       if (info == CONFLICTING_ATTACH_STR_IX
> +                          || info == CONFLICTING_ATTACH_STR_UX)
> +                               perms.audit |= MAY_EXEC;
> +                               perms.allow |= MAY_EXEC;
>                         /* hack ix fallback - improve how this is detected */
>                         goto audit;
>                 } else if (!new) {
> --
> 2.43.0
>