[apparmor] [PATCH v2 5/5] apparmor: disable aa_audit_file AA_BUG(!ad.request) due to fd inheritance

[Ryan Lee]

Inheritance of fd's triggers the lookup logic, and O_PATH fd's are checked
with an empty request set. If the O_PATH fd corresponds to a disconnected
path for an application with a profile in complain mode, we have an error
without a request bit set in aa_audit_file. Until we can handle O_PATH fd
inheritance better, the best we can do for now is disable the AA_BUG line
when the profile is in complain mode.

Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
---

v1 -> v2: only skip the AA_BUG line in complain mode

 security/apparmor/file.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index c430e031db31..60d6273713f9 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -271,7 +271,19 @@ int aa_audit_file(const struct cred *subj_cred,
 	} else {
 		/* only report permissions that were denied */
 		ad.request = ad.request & ~perms->allow;
-		AA_BUG(!ad.request);
+
+		/*
+		 * Inheritance of fd's across execution boundaries causes the
+		 * path name lookup logic to be triggered for all the fd's.
+		 * This includes O_PATH fd's for which the original requested
+		 * set is empty. An O_PATH fd with a disconnected path results
+		 * in a lookup error, which in complain mode, means we reach
+		 * this branch with an empty request. Until we have a better
+		 * way to detect and handle this case, we have to disable this
+		 * AA_BUG line when in complain mode.
+		 */
+		if (!COMPLAIN_MODE(profile))
+			AA_BUG(!ad.request);
 
 		if (ad.request & perms->kill)
 			type = AUDIT_APPARMOR_KILL;
-- 
2.43.0