[apparmor] [PATCH 0/4] Unconditionally generate audit log entries upon encountering conflicting attachments
Ryan Lee
ryan.lee at canonical.com
Fri May 2 00:55:42 UTC 2025
When profile attachment fails due to conflicting attachments, confinement silently
falls back onto either unconfined (if transitioning from unconfined) or onto ix/ux
(if transitioning via a pix/pux rule in a profile). However, conflicting attachments
are an error condition, so such occurences should be audited unconditionally. This
patchset implements such auditing.
Ryan Lee (4):
apparmor: force audit on unconfined exec if info is set by find_attach
apparmor: move the "conflicting profile attachments" infostr to a
const declaration
apparmor: include conflicting attachment info for confined ix/ux
fallback
apparmor: force auditing of conflicting attachment execs from confined
security/apparmor/domain.c | 59 ++++++++++++++++++++++++++++++++++++--
1 file changed, 56 insertions(+), 3 deletions(-)
--
2.43.0
More information about the AppArmor
mailing list