[apparmor] [PATCH 4/5] apparmor: don't bail early in mount on disconnected paths in complain mode
Ryan Lee
ryan.lee at canonical.com
Tue Mar 4 20:55:53 UTC 2025
This is the analogous change to profile_path_perm in an earlier patch of
this patchset, except for the mount mediation functions.
Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
---
security/apparmor/mount.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
index 21c933dc469c..9f6006a35965 100644
--- a/security/apparmor/mount.c
+++ b/security/apparmor/mount.c
@@ -326,7 +326,7 @@ static int match_mnt_path_str(const struct cred *subj_cred,
error = aa_path_name(mntpath, path_flags(profile, mntpath),
COMPLAIN_MODE(profile), buffer,
&mntpnt, &info, profile->disconnected);
- if (error)
+ if (error && !COMPLAIN_MODE(profile))
goto audit;
if (IS_ERR(devname)) {
error = PTR_ERR(devname);
@@ -388,7 +388,7 @@ static int match_mnt(const struct cred *subj_cred,
COMPLAIN_MODE(profile),
devbuffer, &devname, &info,
profile->disconnected);
- if (error)
+ if (error && !COMPLAIN_MODE(profile))
devname = ERR_PTR(error);
}
@@ -623,7 +623,7 @@ static int profile_umount(const struct cred *subj_cred,
error = aa_path_name(path, path_flags(profile, path),
COMPLAIN_MODE(profile), buffer, &name,
&info, profile->disconnected);
- if (error)
+ if (error && !COMPLAIN_MODE(profile))
goto audit;
state = aa_dfa_match(rules->policy->dfa,
@@ -692,13 +692,13 @@ static struct aa_label *build_pivotroot(const struct cred *subj_cred,
COMPLAIN_MODE(profile),
old_buffer, &old_name, &info,
profile->disconnected);
- if (error)
+ if (error && !COMPLAIN_MODE(profile))
goto audit;
error = aa_path_name(new_path, path_flags(profile, new_path),
COMPLAIN_MODE(profile),
new_buffer, &new_name, &info,
profile->disconnected);
- if (error)
+ if (error && !COMPLAIN_MODE(profile))
goto audit;
error = -EACCES;
--
2.43.0
More information about the AppArmor
mailing list