[apparmor] [PATCH v2 0/5] Enable operations with disconnected paths to succeed in complain mode

[Ryan Lee]

AppArmor was previously blocking operations with disconnected paths, even
when the profile was loaded in complain mode. Instead, this patchset audits
the disconnected path as being prefixed with a '#' sentinel, and updates
the other code doing path lookups to continue with mediation with complain
mode profiles.

Similar checks will be needed for disconnection in the IPC case, once that
code is ready.

v1 -> v2:
 - "apparmor: create new learning profile in complain mode upon disconnect
    exec": fix grammar nit identified by Christian Boltz
 - "apparmor: disable aa_audit_file AA_BUG(!ad.request) due to fd
    inheritance": only skip the AA_BUG line in complain mode

Ryan Lee (5):
  apparmor: pass complain-mode information to aa_path_name path lookup
  apparmor: don't return early in profile_path_perm for disconnected
    paths in complain mode
  apparmor: create new learning profile in complain mode upon disconnect
    exec
  apparmor: don't bail early in mount on disconnected paths in complain
    mode
  apparmor: disable aa_audit_file AA_BUG(!ad.request) due to fd
    inheritance

 security/apparmor/domain.c       | 40 ++++++++++++++++++++++++--------
 security/apparmor/file.c         | 21 +++++++++++++----
 security/apparmor/include/path.h |  4 ++--
 security/apparmor/mount.c        | 19 +++++++++------
 security/apparmor/path.c         | 37 +++++++++++++++++++----------
 5 files changed, 86 insertions(+), 35 deletions(-)

-- 
2.43.0