Commit 17322cc3 authored by John Johansen's avatar John Johansen
Browse files

apparmor: fix auditing of domain transition failures due to incomplete policy 



When policy specifies a transition to a profile that is not currently
loaded, it result in exec being denied.  However the failure is not being
audited correctly because the audit code is treating this as an allowed
permission and thus not reporting it.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Acked-By: default avatarSteve Beattie <sbeattie@ubuntu.com>
parent b7ae9f06

security/apparmor/domain.c

+2 −0
Original line number Diff line number Diff line
@@ -443,6 +443,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) 
			} else {

				error = -ENOENT;

				info = "profile not found";

				/* remove MAY_EXEC to audit as failure */

				perms.allow &= ~MAY_EXEC;

			}

		}

	} else if (COMPLAIN_MODE(profile)) {

CRA Git | Maintained and supported by SUSTech CRA and CCSE