[apparmor] [PATCH 5/5] apparmor: disable aa_audit_file AA_BUG(!ad.request) due to fd inheritance

Ryan Lee ryan.lee at canonical.com
Wed Mar 12 17:48:51 UTC 2025 

On Sat, Mar 8, 2025 at 11:21 AM Christian Boltz <apparmor at cboltz.de> wrote:
>
> Hello,
>
> Am Dienstag, 4. März 2025, 21:55 schrieb Ryan Lee:
> > Inheritance of fd's triggers the lookup logic, and O_PATH fd's are
> > checked with an empty request set. If the O_PATH fd corresponds to a
> > disconnected path for an application with a profile in complain mode,
> > we have an error without a request bit set in aa_audit_file. Until we
> > can handle O_PATH fd inheritance better, the best we can do for now
> > is disable the AA_BUG line.
> >
> > Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
> > ---
> >  security/apparmor/file.c | 13 ++++++++++++-
> >  1 file changed, 12 insertions(+), 1 deletion(-)
> >
> > diff --git a/security/apparmor/file.c b/security/apparmor/file.c
> > index c430e031db31..3267a597526e 100644
> > --- a/security/apparmor/file.c
> > +++ b/security/apparmor/file.c
> > @@ -271,7 +271,18 @@ int aa_audit_file(const struct cred *subj_cred,
> >       } else {
> >               /* only report permissions that were denied */
> >               ad.request = ad.request & ~perms->allow;
> > -             AA_BUG(!ad.request);
> > +
> > +             /*
> > +              * Inheritance of fd's across execution boundaries causes the
> > +              * path name lookup logic to be triggered for all the fd's.
> > +              * This includes O_PATH fd's for which the original requested
> > +              * set is empty. An O_PATH fd with a disconnected path results
> > +              * in a lookup error, which in complain mode, means we reach
> > +              * this branch with an empty request. Until we have a better
> > +              * way to detect and handle this case, we have to disable this
> > +              * AA_BUG line.
> > +              */
> > +             // AA_BUG(!ad.request);
>
> Assuming I got your description right, this AA_BUG will only "explode"
> in complain mode.
>
> Would it be possible to do something like (pseudocode)
>
>     if !complain_mode
>         AA_BUG(!ad.request);
>
> so that AA_BUG only gets skipped for complain mode profiles, instead of
> completely commenting it out?
>

Fixed in v2, thanks

>
> Regards,
>
> Christian Boltz
> --
> What you need is a list of all unknown bugs.  ;-)
> [James Knott in opensuse-factory]

More information about the AppArmor mailing list