Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
apparmor: force audit on unconfined exec if info is set by find_attach
find_attach may set info if something unusual happens during that process
(currently only used to signal conflicting attachments, but this could be
expanded in the future). This is information that should be propagated to
userspace via an audit message.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
authored by
Ryan Lee
and committed by
John Johansen
89a3561e
95ff1189
+16
+16
security/apparmor/domain.c
+16
security/apparmor/domain.c
···
670
670
if (profile_unconfined(profile)) {
671
671
new = find_attach(bprm, profile->ns,
672
672
&profile->ns->base.profiles, name, &info);
673
+
/* info set -> something unusual that we should report
674
+
* Currently this is only conflicting attachments, but other
675
+
* infos added in the future should also be logged by default
676
+
* and only excluded on a case-by-case basis
677
+
*/
678
+
if (info) {
679
+
/* Because perms is never used again after this audit
680
+
* we don't need to care about clobbering it
681
+
*/
682
+
perms.audit |= MAY_EXEC;
683
+
perms.allow |= MAY_EXEC;
684
+
/* Don't cause error if auditing fails */
685
+
(void) aa_audit_file(subj_cred, profile, &perms,
686
+
OP_EXEC, MAY_EXEC, name, target, new, cond->uid,
687
+
info, error);
688
+
}
673
689
if (new) {
674
690
AA_DEBUG(DEBUG_DOMAIN, "unconfined attached to new label");
675
691
return new;