tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

apparmor: move check for aa_null file to cover all cases

files with a dentry pointing aa_null.dentry where already rejected as
part of file_inheritance. Unfortunately the check in
common_file_perm() is insufficient to cover all cases causing
unnecessary audit messages without the original files context.

Eg.
[ 442.886474] audit: type=1400 audit(1704822661.616:329): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="snap.lxd.activate" name="/apparmor/.null" pid=9525 comm="snap-exec"

Further examples of this are in the logs of
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2120439
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1952084
https://bugs.launchpad.net/snapd/+bug/2049099

These messages have no value and should not be sent to the logs.
AppArmor was already filtering the out in some cases but the original
patch did not catch all cases. Fix this by push the existing check
down into two functions that should cover all cases.

Link: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2122743
Fixes: 192ca6b55a86 ("apparmor: revalidate files during exec")
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen 4a134723 e16eee78

+10 -6
+10 -2
security/apparmor/file.c
··· 155 155 const char *info = NULL; 156 156 int error; 157 157 158 - error = aa_path_name(path, flags, buffer, name, &info, 159 - labels_profile(label)->disconnected); 158 + /* don't reaudit files closed during inheritance */ 159 + if (unlikely(path->dentry == aa_null.dentry)) 160 + error = -EACCES; 161 + else 162 + error = aa_path_name(path, flags, buffer, name, &info, 163 + labels_profile(label)->disconnected); 160 164 if (error) { 161 165 fn_for_each_confined(label, profile, 162 166 aa_audit_file(subj_cred, ··· 620 616 621 617 AA_BUG(!label); 622 618 AA_BUG(!file); 619 + 620 + /* don't reaudit files closed during inheritance */ 621 + if (unlikely(file->f_path.dentry == aa_null.dentry)) 622 + return -EACCES; 623 623 624 624 fctx = file_ctx(file); 625 625
-4
security/apparmor/lsm.c
··· 525 525 struct aa_label *label; 526 526 int error = 0; 527 527 528 - /* don't reaudit files closed during inheritance */ 529 - if (unlikely(file->f_path.dentry == aa_null.dentry)) 530 - return -EACCES; 531 - 532 528 label = begin_current_label_crit_section(); 533 529 error = aa_file_perm(op, current_cred(), label, file, mask, false); 534 530 end_current_label_crit_section(label);