[apparmor] [PATCH] apparmor: replace misleading 'scrubbing environment' phrase in debug print

John Johansen john.johansen at canonical.com
Sat Nov 9 20:55:07 UTC 2024 

On 8/28/24 15:24, Ryan Lee wrote:
> The wording of 'scrubbing environment' implied that all environment
> variables would be removed, when instead secure-execution mode only
> removes a small number of environment variables. This patch updates the
> wording to describe what actually occurs instead: setting AT_SECURE for
> ld.so's secure-execution mode.
> 
> Link: https://gitlab.com/apparmor/apparmor/-/merge_requests/1315 is a
> merge request that does similar updating for apparmor userspace.
> 
> Signed-off-by: Ryan Lee <ryan.lee at canonical.com>

Acked-by: John Johansen <john.johansen at canonical.com>

I have pulled this into my tree

> ---
>   security/apparmor/domain.c | 10 +++++-----
>   1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> index 9914a2b130de..c89f4222f2e9 100644
> --- a/security/apparmor/domain.c
> +++ b/security/apparmor/domain.c
> @@ -720,8 +720,8 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
>   
>   	if (!(perms.xindex & AA_X_UNSAFE)) {
>   		if (DEBUG_ON) {
> -			dbg_printk("apparmor: scrubbing environment variables"
> -				   " for %s profile=", name);
> +			dbg_printk("apparmor: setting AT_SECURE "
> +				   "for %s profile=", name);
>   			aa_label_printk(new, GFP_KERNEL);
>   			dbg_printk("\n");
>   		}
> @@ -799,8 +799,8 @@ static int profile_onexec(const struct cred *subj_cred,
>   
>   	if (!(perms.xindex & AA_X_UNSAFE)) {
>   		if (DEBUG_ON) {
> -			dbg_printk("apparmor: scrubbing environment "
> -				   "variables for %s label=", xname);
> +			dbg_printk("apparmor: setting AT_SECURE for "
> +				   "%s label=", xname);
>   			aa_label_printk(onexec, GFP_KERNEL);
>   			dbg_printk("\n");
>   		}
> @@ -970,7 +970,7 @@ int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm)
>   
>   	if (unsafe) {
>   		if (DEBUG_ON) {
> -			dbg_printk("scrubbing environment variables for %s "
> +			dbg_printk("setting AT_SECURE for %s "
>   				   "label=", bprm->filename);
>   			aa_label_printk(new, GFP_KERNEL);
>   			dbg_printk("\n");

More information about the AppArmor mailing list