[apparmor] [PATCH 04/16] apparmor: exec should not be returning ENOENT when it denies
John Johansen
john.johansen at canonical.com
Thu Apr 21 06:52:46 UTC 2016
The current behavior is confusing as it causes exec failures to report
the executable is missing instead of identifying that apparmor
caused the failure.
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
security/apparmor/domain.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index dc0027b..67a7418 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -433,7 +433,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
new_profile = aa_get_newest_profile(ns->unconfined);
info = "ux fallback";
} else {
- error = -ENOENT;
+ error = -EACCES;
info = "profile not found";
/* remove MAY_EXEC to audit as failure */
perms.allow &= ~MAY_EXEC;
--
2.7.4
More information about the AppArmor
mailing list