tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

apparmor: include conflicting attachment info for confined ix/ux fallback

Instead of silently overwriting the conflicting profile attachment string,
include that information in the ix/ux fallback string that gets set as info
instead. Also add a warning print if some other info is set that would be
overwritten by the ix/ux fallback string or by the profile not found error.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

authored by

Ryan Lee and committed by
John Johansen b824b5f8 e76d733b

+33 -2
+33 -2
security/apparmor/domain.c
··· 29 29 #include "include/policy_ns.h" 30 30 31 31 static const char * const CONFLICTING_ATTACH_STR = "conflicting profile attachments"; 32 + static const char * const CONFLICTING_ATTACH_STR_IX = 33 + "conflicting profile attachments - ix fallback"; 34 + static const char * const CONFLICTING_ATTACH_STR_UX = 35 + "conflicting profile attachments - ux fallback"; 32 36 33 37 /** 34 38 * may_change_ptraced_domain - check if can change profile on ptraced task ··· 581 577 struct aa_label *stack = NULL; 582 578 struct aa_ns *ns = profile->ns; 583 579 u32 xtype = xindex & AA_X_TYPE_MASK; 580 + /* Used for info checks during fallback handling */ 581 + const char *old_info = NULL; 584 582 585 583 switch (xtype) { 586 584 case AA_X_NONE: ··· 619 613 /* (p|c|n)ix - don't change profile but do 620 614 * use the newest version 621 615 */ 622 - *info = "ix fallback"; 616 + if (*info == CONFLICTING_ATTACH_STR) { 617 + *info = CONFLICTING_ATTACH_STR_IX; 618 + } else { 619 + old_info = *info; 620 + *info = "ix fallback"; 621 + } 623 622 /* no profile && no error */ 624 623 new = aa_get_newest_label(&profile->label); 625 624 } else if (xindex & AA_X_UNCONFINED) { 626 625 new = aa_get_newest_label(ns_unconfined(profile->ns)); 627 - *info = "ux fallback"; 626 + if (*info == CONFLICTING_ATTACH_STR) { 627 + *info = CONFLICTING_ATTACH_STR_UX; 628 + } else { 629 + old_info = *info; 630 + *info = "ux fallback"; 631 + } 632 + } 633 + /* We set old_info on the code paths above where overwriting 634 + * could have happened, so now check if info was set by 635 + * find_attach as well (i.e. whether we actually overwrote) 636 + * and warn accordingly. 637 + */ 638 + if (old_info && old_info != CONFLICTING_ATTACH_STR) { 639 + pr_warn_ratelimited( 640 + "AppArmor: find_attach (from profile %s) audit info \"%s\" dropped", 641 + profile->base.hname, old_info); 628 642 } 629 643 } 630 644 ··· 732 706 /* hack ix fallback - improve how this is detected */ 733 707 goto audit; 734 708 } else if (!new) { 709 + if (info) { 710 + pr_warn_ratelimited( 711 + "AppArmor: %s (from profile %s) audit info \"%s\" dropped on missing transition", 712 + __func__, profile->base.hname, info); 713 + } 735 714 info = "profile transition not found"; 736 715 /* remove MAY_EXEC to audit as failure or complaint */ 737 716 perms.allow &= ~MAY_EXEC;