[apparmor] [PATCH 2/5] apparmor: don't return early in profile_path_perm for disconnected paths in complain mode

[Ryan Lee]

profile_path_perm does the path lookup for file operations. If in complain
mode, don't return early upon path lookup failure, but instead proceed to
file path mediation. Because of the sentinel character replacement, the
mediation will fail, and the subsequent audit mechanisms will allow the
operation to proceed while generating a complain-mode audit log.

Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
---
 security/apparmor/file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index 5e0cadb75651..c430e031db31 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -403,7 +403,7 @@ static int profile_path_perm(const char *op, const struct cred *subj_cred,
 	error = path_name(op, subj_cred, &profile->label, path,
 			  flags | profile->path_flags, buffer, &name, cond,
 			  request);
-	if (error)
+	if (error && !COMPLAIN_MODE(profile))
 		return error;
 	error = __aa_path_perm(op, subj_cred, profile, name, request, cond,
 			       flags, perms, prompt);
-- 
2.43.0