mirror of
https://github.com/torvalds/linux.git
synced 2024-11-24 13:11:40 +00:00
apparmor: fix auditing of domain transition failures due to incomplete policy
When policy specifies a transition to a profile that is not currently loaded, it result in exec being denied. However the failure is not being audited correctly because the audit code is treating this as an allowed permission and thus not reporting it. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com>
This commit is contained in:
parent
b7ae9f064b
commit
17322cc3f9
@ -443,6 +443,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
|
|||||||
} else {
|
} else {
|
||||||
error = -ENOENT;
|
error = -ENOENT;
|
||||||
info = "profile not found";
|
info = "profile not found";
|
||||||
|
/* remove MAY_EXEC to audit as failure */
|
||||||
|
perms.allow &= ~MAY_EXEC;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else if (COMPLAIN_MODE(profile)) {
|
} else if (COMPLAIN_MODE(profile)) {
|
||||||
|
Loading…
Reference in New Issue
Block a user