[apparmor] [PATCH v2 4/4] apparmor: force auditing of conflicting attachment execs from confined

Mon Jun 23 21:59:41 UTC 2025

On Sun, Jun 22, 2025 at 3:00 PM John Johansen
<john.johansen at canonical.com> wrote:
>
> On 6/13/25 09:32, Ryan Lee wrote:
> > Conflicting attachment paths are an error state that result in the
> > binary in question executing under an unexpected ix/ux fallback. As such,
> > it should be audited to record the occurrence of conflicting attachments.
> >
> > Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
>
> Ryan,
> your original patch made it into apparmor-next for the 6.16 that never
> happened.
>
> Ideally we wouldn't rebase for this. Can you apply this to apparmor-next
> and send it as a
>
> Fixes: 16916b17b4f8 ("apparmor: force auditing of conflicting attachment execs from confined")
> patch
>

Follow-up has been sent as
https://lists.ubuntu.com/archives/apparmor/2025-June/013705.html.

>
> > ---
> >
> > This is a v2 of https://lists.ubuntu.com/archives/apparmor/2025-May/013613.html.
> >
> > v1 -> v2: remove redundant perms.allow |= MAY_EXEC (which was also incorrectly outside of the intended conditional)
> >   security/apparmor/domain.c | 7 +++++++
> >   1 file changed, 7 insertions(+)
> >
> > diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> > index e8cd9badfb54..b33ce6be9427 100644
> > --- a/security/apparmor/domain.c
> > +++ b/security/apparmor/domain.c
> > @@ -724,6 +724,14 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
> > @@ -727,6 +727,16 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
> >               new = x_to_label(profile, bprm, name, perms.xindex, &target,
> >                                &info);
> >               if (new && new->proxy == profile->label.proxy && info) {
> > +                     /* Force audit on conflicting attachment fallback
> > +                      * Because perms is never used again after this audit
> > +                      * we don't need to care about clobbering it
> > +                      *
> > +                      * Because perms.allow MAY_EXEC bit is already set
> > +                      * we don't have to set it again
> > +                      */
> > +                     if (info == CONFLICTING_ATTACH_STR_IX
> > +                        || info == CONFLICTING_ATTACH_STR_UX)
> > +                             perms.audit |= MAY_EXEC;
> >                       /* hack ix fallback - improve how this is detected */
> >                       goto audit;
> >               } else if (!new) {
>