[apparmor] [PATCH] apparmor: remove redundant perms.allow MAY_EXEC bitflag set
John Johansen
john.johansen at canonical.com
Sun Jun 29 11:40:44 UTC 2025
On 6/23/25 14:58, Ryan Lee wrote:
> This section of profile_transition that occurs after x_to_label only
> happens if perms.allow already has the MAY_EXEC bit set, so we don't need
> to set it again.
>
> Fixes: 16916b17b4f8 ("apparmor: force auditing of conflicting attachment execs from confined")
> Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
Acked-by: John Johansen <john.johansen at canonical.com>
> ---
> This is a follow-up to the patch sent here:
>
> https://lists.ubuntu.com/archives/apparmor/2025-May/013613.html
>
> The original patch I sent contained a missing braces typo that was fixed
> in the version of the patch that was actually applied, but the applied
> version still has the redundant bitflag set operation.
>
> security/apparmor/domain.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> index f9370a63a83c..d689597f253b 100644
> --- a/security/apparmor/domain.c
> +++ b/security/apparmor/domain.c
> @@ -734,10 +734,8 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
> * we don't need to care about clobbering it
> */
> if (info == CONFLICTING_ATTACH_STR_IX
> - || info == CONFLICTING_ATTACH_STR_UX) {
> + || info == CONFLICTING_ATTACH_STR_UX)
> perms.audit |= MAY_EXEC;
> - perms.allow |= MAY_EXEC;
> - }
> /* hack ix fallback - improve how this is detected */
> goto audit;
> } else if (!new) {
>
> base-commit: 1fdb22c54a5f64fb9c8a78b0dc36afea87245c15
More information about the AppArmor
mailing list