[apparmor] Re: [PATCH 5/5] apparmor: disable aa_audit_file AA_BUG(!ad.request) due to fd inheritance

Christian Boltz apparmor at cboltz.de
Sat Mar 8 19:21:18 UTC 2025 

Hello,

Am Dienstag, 4. März 2025, 21:55 schrieb Ryan Lee:
> Inheritance of fd's triggers the lookup logic, and O_PATH fd's are
> checked with an empty request set. If the O_PATH fd corresponds to a
> disconnected path for an application with a profile in complain mode,
> we have an error without a request bit set in aa_audit_file. Until we
> can handle O_PATH fd inheritance better, the best we can do for now
> is disable the AA_BUG line.
> 
> Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
> ---
>  security/apparmor/file.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/security/apparmor/file.c b/security/apparmor/file.c
> index c430e031db31..3267a597526e 100644
> --- a/security/apparmor/file.c
> +++ b/security/apparmor/file.c
> @@ -271,7 +271,18 @@ int aa_audit_file(const struct cred *subj_cred,
>  	} else {
>  		/* only report permissions that were denied */
>  		ad.request = ad.request & ~perms->allow;
> -		AA_BUG(!ad.request);
> +
> +		/*
> +		 * Inheritance of fd's across execution boundaries causes the
> +		 * path name lookup logic to be triggered for all the fd's.
> +		 * This includes O_PATH fd's for which the original requested
> +		 * set is empty. An O_PATH fd with a disconnected path results
> +		 * in a lookup error, which in complain mode, means we reach
> +		 * this branch with an empty request. Until we have a better
> +		 * way to detect and handle this case, we have to disable this
> +		 * AA_BUG line.
> +		 */
> +		// AA_BUG(!ad.request);

Assuming I got your description right, this AA_BUG will only "explode" 
in complain mode.

Would it be possible to do something like (pseudocode)

    if !complain_mode
        AA_BUG(!ad.request);

so that AA_BUG only gets skipped for complain mode profiles, instead of 
completely commenting it out?


Regards,

Christian Boltz
-- 
What you need is a list of all unknown bugs.  ;-)
[James Knott in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20250308/0b10990d/attachment.sig>

More information about the AppArmor mailing list