Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
apparmor: force auditing of conflicting attachment execs from confined
Conflicting attachment paths are an error state that result in the
binary in question executing under an unexpected ix/ux fallback. As such,
it should be audited to record the occurrence of conflicting attachments.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
authored by
Ryan Lee
and committed by
John Johansen
16916b17
b824b5f8
+9
+9
security/apparmor/domain.c
+9
security/apparmor/domain.c
···
729
729
new = x_to_label(profile, bprm, name, perms.xindex, &target,
730
730
&info);
731
731
if (new && new->proxy == profile->label.proxy && info) {
732
+
/* Force audit on conflicting attachment fallback
733
+
* Because perms is never used again after this audit
734
+
* we don't need to care about clobbering it
735
+
*/
736
+
if (info == CONFLICTING_ATTACH_STR_IX
737
+
|| info == CONFLICTING_ATTACH_STR_UX) {
738
+
perms.audit |= MAY_EXEC;
739
+
perms.allow |= MAY_EXEC;
740
+
}
732
741
/* hack ix fallback - improve how this is detected */
733
742
goto audit;
734
743
} else if (!new) {