Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

apparmor: fix auditing of domain transition failures due to incomplete policy

When policy specifies a transition to a profile that is not currently
loaded, it result in exec being denied.  However the failure is not being
audited correctly because the audit code is treating this as an allowed
permission and thus not reporting it.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
John Johansen 12 years ago
parent
b7ae9f064b
commit
17322cc3f9
1 changed files with 2 additions and 0 deletions
Split View Show Diff Stats
  1. 2 0
      security/apparmor/domain.c

+ 2 - 0
security/apparmor/domain.c
View File 

@@ -443,6 +443,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 
 			} else {
 
 				error = -ENOENT;
 
 				info = "profile not found";
 
+				/* remove MAY_EXEC to audit as failure */
 
+				perms.allow &= ~MAY_EXEC;
 
 			}
 
 		}
 
 	} else if (COMPLAIN_MODE(profile)) {