[apparmor] [PATCH 01/27] apparmor: fix auditing of domain transition failures due to incomplete policy

[John Johansen]

When policy specifies a transition to a profile that is not currently
loaded, it result in exec being denied.  However the failure is not being
audited correctly audited if only auditing denials.

This is because the exec permission is was granted and is still set in
the mask but the audit code is using this to mask of permissions requests
that where granted.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 security/apparmor/domain.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 60f0c76..2cbb9df 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -443,6 +443,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 			} else {
 				error = -ENOENT;
 				info = "profile not found";
+				perms.allow &= ~MAY_EXEC;
 			}
 		}
 	} else if (COMPLAIN_MODE(profile)) {
-- 
1.7.10.4