[apparmor] [PATCH v2 4/4] apparmor: force auditing of conflicting attachment execs from confined

[Ryan Lee]

Conflicting attachment paths are an error state that result in the
binary in question executing under an unexpected ix/ux fallback. As such,
it should be audited to record the occurrence of conflicting attachments.

Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
---

This is a v2 of https://lists.ubuntu.com/archives/apparmor/2025-May/013613.html.

v1 -> v2: remove redundant perms.allow |= MAY_EXEC (which was also incorrectly outside of the intended conditional)
 security/apparmor/domain.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index e8cd9badfb54..b33ce6be9427 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -724,6 +724,14 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
@@ -727,6 +727,16 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
 		new = x_to_label(profile, bprm, name, perms.xindex, &target,
 				 &info);
 		if (new && new->proxy == profile->label.proxy && info) {
+			/* Force audit on conflicting attachment fallback
+			 * Because perms is never used again after this audit
+			 * we don't need to care about clobbering it
+			 *
+			 * Because perms.allow MAY_EXEC bit is already set
+			 * we don't have to set it again
+			 */
+			if (info == CONFLICTING_ATTACH_STR_IX
+			   || info == CONFLICTING_ATTACH_STR_UX)
+				perms.audit |= MAY_EXEC;
 			/* hack ix fallback - improve how this is detected */
 			goto audit;
 		} else if (!new) {
-- 
2.43.0