[apparmor] [PATCH 0/5] Enable operations with disconnected paths to succeed in complain mode
Ryan Lee
ryan.lee at canonical.com
Tue Mar 4 20:55:49 UTC 2025
AppArmor was previously blocking operations with disconnected paths, even
when the profile was loaded in complain mode. Instead, this patchset audits
the disconnected path as being prefixed with a '#' sentinel, and updates
the other code doing path lookups to continue with mediation with complain
mode profiles.
Similar checks will be needed for disconnection in the IPC case, once that
code is ready.
Ryan Lee (5):
apparmor: pass complain-mode information to aa_path_name path lookup
apparmor: don't return early in profile_path_perm for disconnected
paths in complain mode
apparmor: create new learning profile in complain mode upon disconnect
exec
apparmor: don't bail early in mount on disconnected paths in complain
mode
apparmor: disable aa_audit_file AA_BUG(!ad.request) due to fd
inheritance
security/apparmor/domain.c | 40 ++++++++++++++++++++++++--------
security/apparmor/file.c | 21 +++++++++++++----
security/apparmor/include/path.h | 4 ++--
security/apparmor/mount.c | 19 +++++++++------
security/apparmor/path.c | 37 +++++++++++++++++++----------
5 files changed, 86 insertions(+), 35 deletions(-)
--
2.43.0
More information about the AppArmor
mailing list