[apparmor] [PATCH 01/27] apparmor: fix auditing of domain transition failures due to incomplete policy
John Johansen
john.johansen at canonical.com
Wed Nov 21 17:36:24 UTC 2012
On 11/21/2012 06:43 AM, Steve Beattie wrote:
> On Tue, Nov 20, 2012 at 08:39:41PM -0800, John Johansen wrote:
>> When policy specifies a transition to a profile that is not currently
>> loaded, it result in exec being denied. However the failure is not being
>> audited correctly audited if only auditing denials.
>>
>> This is because the exec permission is was granted and is still set in
>> the mask but the audit code is using this to mask of permissions requests
>> that where granted.
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>
> Acked-By: Steve Beattie <sbeattie at ubuntu.com> though a comment
> explaining why you're manipulating perms.allow might be nice.
>
sorry that my explanation didn't help. I'll try again
policy granted the exec so the MAY_EXEC in perms.allow is set
however the search for a matching profile failed, and we of course
want to reject and audit this.
> I can't decide if the need to do this feels like a failing of the
> aa_audit_file() API.
>
It could be taken that way. What is happening is the failure is
being noticed but the audit code doesn't report failures for permissions
that where granted.
eg. request rw, get granted r, report failure for w perm
in this case we have a failure but the audit code sees that the request
perm was granted and drops the message. I think that perhaps in this
case the audit code should notice that
allowed == denied
and that the error must be something else and log it.
>> ---
>> security/apparmor/domain.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
>> index 60f0c76..2cbb9df 100644
>> --- a/security/apparmor/domain.c
>> +++ b/security/apparmor/domain.c
>> @@ -443,6 +443,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
>> } else {
>> error = -ENOENT;
>> info = "profile not found";
>> + perms.allow &= ~MAY_EXEC;
>> }
>> }
>> } else if (COMPLAIN_MODE(profile)) {
>
>
>
More information about the AppArmor
mailing list